Defining Management Responsibilities
Managers of all departments need to be involved with ensuring their teams are performing their assigned operational duties in accordance with security program control requirements. Managers often lead by example. If a manager “colors outside the lines,” it is a safe bet that their team will eventually do the same. A single security resource, or even a complete security team, cannot monitor all activities of everyone in the organization. Managers must play a critical role in supporting the overall success of the security program by ensuring their teams adhere to the control requirements that have been defined for your organization.
Managers should be responsible and held accountable for ensuring their teams perform assigned functions within their areas of responsibility in accordance with applicable security controls. Additionally, security risks and control requirements should be actively discussed at business unit meetings. Managers should ensure their teams have a clear understanding of how to identify and escalate potential security issues to appropriate security personnel within the organization.
Consider establishing a Security Committee comprised of members from different departments across your organization. Having a cross-functional group of stakeholders participate in recurring committee meeting is a great way to keep managers involved, informed, and supportive of the overall security program..
Management should require all personnel to apply security controls and best practices by the established policies and procedures. When it comes to supporting your organization’s security program, manager responsibilities should include ensuring that personnel within their area or responsibilities:
- Are properly briefed on their security roles and responsibilities before being granted access to information systems and other assets
- Are provided with security expectations of their role within the organization
- Achieve an appropriate level of awareness of security that is relevant to their roles and responsibilities
- Acknowledge and comply with security policies and procedures
- Acknowledge and comply with the terms and conditions of employment
Access agreements for personnel should be developed and documented. Managers should ensure that their teams’ updated physical and logical access agreements are updated regularly (e.g., at least annually). Managers of personnel with privileged access may be required to perform more frequent reviews.
Managers within the security department should be responsible for ensuring your organization has a personnel development and improvement program in place to maintain personnel knowledge, competence, and effectiveness. This helps to ensure everyone supporting the security program stays current on the organization’s latest security trends, threats, tools, and security capabilities.