Define the Information Assurance strategic roles and responsibilities.

Establish Roles


This Control directly supports the implied Control(s):
  • Leadership and high level objectives, CC ID: 00597

This Control has the following implementation support Control(s):
  • Establish and maintain a compliance oversight committee., CC ID: 00765
  • Define and assign the Chief Executive's Information Assurance roles and responsibilities., CC ID: 06089
  • Define and assign the Chief Financial Officer's Information Assurance roles and responsibilities., CC ID: 06090
  • Define and assign the Chief of Risk's Information Assurance roles and responsibilities., CC ID: 06092


  • The computerization committee should provide information to top management to help them make strategic decisions. This is a control item that constitutes a relatively small risk to financial information. This is a company-level IT control. (App 2-1 Item Number I.2.1(5), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Management has ultimate responsibility for assessing internal controls and must assume responsibility for the planning, performing, and results of the assessment. (Practice Standard § II.3(1)[1], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • A director must not be a member of more than 10 committees or the chairman of more than 5 committees. (§ I(C)(ii), Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
  • The positions of Chairman and Chief Executive Officer (CEO) should not be held by the same person. The responsibilities of each of those positions should be agreed upon by the Board of Directors and clearly stated. If the individuals filling the positions of Chairman and CEO are related, the organiz… (¶ 3.1, ¶ 3.2, CODE OF CORPORATE GOVERNANCE 2005)
  • An APRA-regulated entity must clearly define the information security-related roles and responsibilities of the Board, senior management, governing bodies and individuals with responsibility for decision-making, approval, oversight, operations and other information security functions. (14., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • An APRA-regulated entity's information security policy framework must provide direction on the responsibilities of all parties who have an obligation to maintain information security. (19., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • Recordkeeping roles and responsibilities ought to be assigned. Roles may be assigned to individuals or to work groups. This section does not specifically state what roles to assign but indicates that the organization should determine roles based on its recordkeeping needs. (§ F.4.2, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • The auditing and assurance standards board is required to formulate standards and guidance. (Sched 1 ¶ 18, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
  • a policy that defines the roles and responsibilities for managing the integrity of the data in the ICT systems (e.g. data architect, data officers, data custodians, data owners/stewards) and provides guidance on which data are critical from a data integrity perspective and should be subject to speci… (Title 3 3.3.4(d) 57.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Member States must designate one or more competent authorities to carry out the tasks of the 8th Company Law Directive. (Art 35, EU 8th Directive (European SOX))
  • When creating the IS organization the creators should assign tasks and areas of responsibilities to the roles. (3.4 Bullet 2, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • The managing director is responsible for managing the organization's day-to-day operations and reports to the Board of Directors. The managing director is not permitted to chair the Board and is the only member of senior management that may be a member of the Board of Directors. The managing directo… (¶ I.2.2, ¶ III.3.2.3, ¶ III.4.1.2, ¶ III.4.2.2, ¶ III.4.3.3, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • Non-executive directors should monitor performance reporting, determine remuneration levels for executive directors, ensure risk management systems are robust, and ensure management meets the objectives and goals of the organization. The non-executive directors should meet without the chairperson at… (§ A.1, § A.1.3, § A.6.1, § A.7.2, Sched B, Financial Reporting Council, Combined Code on Corporate Governance, June 2008)
  • The security manager looks after the security management process. They fulfill demands based on the SLA and handle specific security incidents but generally security managers do not implement new security measures. Any work the security manager does is written up in a report which they keep handy in… (§ 5.2.5, OGC ITIL: Security Management)
  • Senior management must notify the Board of Directors of any exceptions or material changes to policies that might impact the risk rating system. Senior management should be responsible for approving any differences between established procedures and actual practices. (¶ 438, ¶ 439, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • Board members and key executives of the organization should be required to disclose any interest in any transaction that affects the organization. (§ III.C, OECD Principles of Corporate Governance, 2004)
  • Establish an IT architecture board to provide architecture guidelines and advice on their application, and to verify compliance. This entity should direct IT architecture design, ensuring that it enables the business strategy and considers regulatory compliance and continuity requirements. This is r… (PO3.5 IT Architecture Board, CobiT, Version 4.1)
  • The legal counsel may be a member of the organization or an external legal adviser. The legal counsel's role involves understanding and dealing with liabilities due to information disclosures and providing guidance to manage the related risks; ensuring the compliance of financial reports and present… (§ 7.2.6, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Executive and line management shall take formal action to support Information Security by clear documented direction, commitment, explicit assignment and verification of assignment execution. (IS-02, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • § 5.1.1 Organizational roles, accountabilities and responsibilities. security responsibilities. Management should be responsible for all aspects of security management including risk-management decision-making. Several factors, such as the nature, form of incorporation, size and structure of an org… (§ 5.1.1, § 5.1.2, § 5.1.4, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Personnel. An organization should implement safeguards to reduce the security risks resulting from errors or intentional or unintentional breaking of security rules by personnel (permanent or contracted). Safeguards in this area are listed below. 1. Safeguards for Permanent and Temporary Staff All e… (¶ 8.1.4(1), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • ¶ 13.2 Secure Service Management should be implemented for network security. ¶ 13.2.1 Introduction to Secure Service Management. A key security requirement for any network is that it is supported by secure service management activities, which will initiate and control the implementation, and opera… (¶ 13.2, ¶ 13.2.1, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Records management responsibilities should be defined and assigned. Everyone in the organization should be made aware of these roles and who has them. (§ 6.3, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • The records management responsibilities of senior management, records management, business unit managers, and employees with records related duties should be clearly defined and assigned. (§ 2.3.2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Representatives from different parts of the organization should be involved in the coordination of information security. Representatives should include managers, users, administrators, designers, auditors, security personnel, legal personnel, and human resources personnel. (§ 6.1.2, ISO 27002 Code of practice for information security management, 2005)
  • Each individual in the organization has responsibility for enterprise risk management. Personnel should support the risk philosophy of the organization and effectively manage the enterprise risk management components. (Ch 12, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • The designated approving authority must document and certify that the system is not able to connect to the Non-classified (but Sensitive) Internet Protocol Routing Network; ensure it complies with the Security Technical Implementation Guides; document any coordination; and document the plan for migr… (§ 3.4.4 ¶ AC34.190, DISA Access Control STIG, Version 2, Release 3)
  • The Information Assurance Manager must be a member of the Configuration Control Board. (DCCB-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Management should promote a culture that takes a data-centric approach for AIO functions and define responsibility and controls as part of data governance and data management processes. (III.A Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Delineation of clear lines of responsibility and communication of accountability for information security. (App A Objective 2.5.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Organizational charts that include reporting relationships between business units and control functions (e.g., enterprise risk management, ITRM, and internal audit). (App A Objective 1:3 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Organizations that issue public stock are required by the Sarbanes-Oxley Act of 2002 to appoint outside directors as audit committee members. All audit committee members must be on the Board of Directors and be independent (not compensated or affiliated with the organization). If the organization ha… (Pg 4, Exam Tier I Obj 3.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • Review the IT management organizational structure to determine if the Board established: ▪ A defined and functioning role for either the CIO/CTO; ▪ Integration of business line manager(s) into the IT oversight process; and ▪ Involvement of front line management in the IT oversight process. (Exam Obj 4.4, FFIEC IT Examination Handbook - Management)
  • States that for security to be effective, individual roles, responsibilities and authority should be clearly communicated and understood by all. (Pg 274, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • § 4.1.5 Bullet 2: Create a policy that establishes roles and responsibilities. § 4.10.2 Bullet 1: Assign roles and responsibilities for measures and activities necessary to correct deficiencies and ensure that proper access is allowed. (§ 4.1.5 Bullet 2, § 4.10.2 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Information Security roles & responsibility are coordinated and aligned with internal roles and external partners. (ID.GV-2, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Managers must work to understand their organization's goals and how the systems within the organization support or hinder those goals. Ultimately, this understanding is to be used to create high quality security that can be defined in terms of the organization's goals. (§ 2.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • The information security officer's duties include: developing the system security plan in coordination with information owners and other relevant parties maintaining the system security plan and ensuring that the system is deployed and operated according to the agreed-upon security requirements ensu… (§ 1.7 thru § 1.9, Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1)
  • Directors and advisors to the organization must have a fiduciary responsibility not to reveal any confidential information to personnel not authorized to receive it. (§ 202.02(B), NYSE Listed Company Manual)