Security is everyone’s responsibility –this is true, however who is ultimately responsible for security within the organization? Defining roles and responsibilities regarding information security ensures that at all levels within the organization (which should encompass internal positions, vendors, and contractors), staff are familiar with their security responsibilities, and this should also be defined in job descriptions. Roles and responsibilities can be defined based on a responsibility assignment matrix (RACI), outlining who is responsible, who is accountable, and who should be consulted or informed regarding security matters.
Note: while there may be many people responsible for security, and many people to be consulted and/or informed, only one person should be accountable.
At a hygiene level, roles and responsibilities should be defined and communicated. The roles and responsibilities (which could be a RACI) matrix should identify who occupies the roles.
BC Government Roles and Responsibilities
Roles and Responsibilities Template (see how to use the template below)