Roles and responsibilities assignment for providing adequate IAP is typically considered critical to effective and efficient IT security. However, depending on the entity, IAP management roles and responsibilities may focus solely on IT security or IT and business security. Roles and responsibilities define relationships among individuals within the entity and have a major impact on control objective achievement. IAP management responsibilities commonly include:
- Planning – The security manager should assist in setting objectives and in establishing specific achievable operational goals to accomplish these objectives (Action Plan). Furthermore, management should evaluate the operational goals selected (Goal Achievement Indicators) and the techniques considered necessary to achieve them (Performance Achievement Indicators).
- Organizing – The security manager should acquire and manage resources reflective of the entity’s control environment. To enable available resources integration requires knowledge of the entity’s organizational structures, strategies, systems, skills, personnel, super-ordinate goals and styles.
- Coordinating – Human resources are normally required to achieve personnel goals and objectives enabling expected job performance. However, the best planning, organizing, directing and controlling will avail nothing unless capable and sufficient personnel are applied to tasks through a security manager’s active participation in employment practices.
- Directing – A security manager’s responsibility is to be proactive, not just simply reactive, regarding information security. Additionally, a security manager should create and maintain communications and sustain assigned personnel momentum toward defined goals achievement within the entity’s control environment.
- Controlling – Normally the security manager is responsible for security controls establishment, measurement systems, and performance appraisals. The security manager’s options for control emphasis mixture range between dynamic resources redirection and fine tuning organizational processes.