Posted by: Robert Davis
Accountability, Acquire and Implement, Adaptive Systems, Asset Management, Assurance Services, Availability Management, COBIT, COBIT Domains, Control Environment, Control Objectives, Control Objectives for Information and related Technology, Deliver and Support, Due Diligence, Fiduciary Responsibility, Framework, Information Assets Protection, Information Security Governance, Information Security Management, ISG, Key Performance Indicators, Monitor and Evaluate, Performance Measurement, Plan and Organize, Risk Management, Strategic Alignment, Value Delivery
Roles and responsibilities assignment for providing adequate IAP is typically considered critical to effective and efficient IT security. However, depending on the entity, IAP management roles and responsibilities may focus solely on IT security or IT and business security. Roles and responsibilities define relationships among individuals within the entity and have a major impact on control objective achievement. IAP management responsibilities commonly include:
- Planning – The security manager should assist in setting objectives and in establishing specific achievable operational goals to accomplish these objectives (Action Plan). Furthermore, management should evaluate the operational goals selected (Goal Achievement Indicators) and the techniques considered necessary to achieve them (Performance Achievement Indicators).
- Organizing – The security manager should acquire and manage resources reflective of the entity’s control environment. To enable available resources integration requires knowledge of the entity’s organizational structures, strategies, systems, skills, personnel, super-ordinate goals and styles.
- Coordinating – Human resources are normally required to achieve personnel goals and objectives enabling expected job performance. However, the best planning, organizing, directing and controlling will avail nothing unless capable and sufficient personnel are applied to tasks through a security manager’s active participation in employment practices.
- Directing – A security manager’s responsibility is to be proactive, not just simply reactive, regarding information security. Additionally, a security manager should create and maintain communications and sustain assigned personnel momentum toward defined goals achievement within the entity’s control environment.
- Controlling – Normally the security manager is responsible for security controls establishment, measurement systems, and performance appraisals. The security manager’s options for control emphasis mixture range between dynamic resources redirection and fine tuning organizational processes.