Security Roles and Responsibilities

Last updated on February 8, 2024

Information Owners

Information Custodians

Chief Information Officer (Corporate)

Chief Information Officer (Local)

Chief Information Security Officer (CISO)

Information Security Officer

Executive / Director / Manager / Supervisor

Employee

Contractor

Vendor

Information Owners  

  • Information Owners have the responsibility and decision making authority for information throughout its life-cycle, including creating, classifying, restricting, regulating and administering its use or disclosure.  This includes responsibility for the physical assets that store, process, or transmit the information they own;
  • Determine business requirements including information security needs;
  • Ensure Security Threat and Risk Assessments are performed regularly to identify and minimize the risks to the information, information systems, and the physical assets;
  • Ensure information, information systems, and the IT assets they use and/or reside on, are protected commensurate with their information classification and value;
  • Define security requirements during the planning stage of any new or significantly changed information system;
  • Determine authorization requirements for access to information and information systems;
  • Approve and regularly review access privileges for each employee or set of employees;
  • Document information exchange agreements;
  • Develop service level agreements for information systems under their custody or control;
  • Implement processes to ensure employees are aware of their security responsibilities;
  • Monitor that employees are fulfilling their security responsibilities;
  • Be involved with security reviews and/or audits; and,
  • Follow the Information Incident Management Process for all suspected or actual information incidents.

Information Custodians

  • Information Custodians maintain or administer information resources on behalf of the Information Owner;  
  • Providing and managing security for the information asset and the hardware it resides on, throughout the lifecycle of the information asset and the physical asset;
  • Maintaining, operating, and inventorying the technical infrastructure that information and information systems reside on;
  • Maintaining and operating the security infrastructure protecting information and information systems;
  • Ensuring that the identified security controls are implemented throughout the supply chain;
  • Identifying and minimizing risks to information and information systems by regularly assessing physical infrastructure security control effectiveness and threats to the information, information systems, and the physical IT assets they reside on; and,
  • Follow the Information Incident Management Process for all suspected or actual information incidents including the loss or theft of hardware assets containing information.

Chief Information Officer (Corporate)

CIO develops, proposes, and maintains corporate-wide IM/IT policy, procedures, and standards, and evaluates compliance. Areas associated with this authority include data access, electronic identity management, records management, asset inventory management, information management, information technology, privacy, security applications, and systems of the organization.

Governance and Policy:

  1. Policies, Procedures, and Standards
    • Proposes corporate IM/IT architecture and related policy, procedures, and standards to protect and manage information assets and physical IT assets;
    • Ensures the privacy and security of the organization through policies, procedures and standards;
    • Ensures information systems are designed to be interoperable, secure, and able to authenticate and authorize appropriate access;
    • Ensures business areas procure information and technology goods and services compatible with the organization infrastructure and IM/IT procurement policies and IT Asset Management Security Standards;
    • Clarifies the interpretation of corporate IM/IT policies, procedures, and standards.
  2. Compliance Monitoring
    • Develops mechanisms and processes to ensure compliance with corporate IM/IT policies, procedures and standards;
    • Proposes corporate IM/IT performance metrics that enable business area compliance;
    • Informs business areas of their responsibilities in complying with corporate IM/IT policies, procedures and standards;
    • Recommends and reviews audits in coordination with other central authorities to ensure compliance with corporate IM/IT policies, procedures and standards;
    • Accesses audit report data to identify information management practices, and information system infrastructure and applications.

Security:

  • Provides the overall strategic direction and policy for securing the organization’s information technology infrastructure and records including electronic information and physical assets;
  • Ensures that measures are established to assess compliance with IM/IT security policies, procedures and standards;
  • Provide strategic direction for information management/information technology (IM/IT) and electronic service delivery and also for the development and maintenance of related corporate IM/IT policies, standards and architectures;
  • Coordination, investigation and resolution of information incidents; and,
  • Lead investigations into actual or suspected information or information technology incidents.

Chief Information Officer (Local)

  • Governance Authority
    • Maintains accountability for all business and operational IM/IT initiatives;
    • Maintains accountability for IM, budgets, records management, forms management, IT asset inventory management, privacy, security, e-services, business architecture, applications, information management, IM/IT strategic planning and IT;
    • Manages information and technology, and all related support activities;
    • Ensures that the delegated responsibility for information and technology is carried out fully;
    • Develops an IM/IT workforce strategy to support business transformation, information protection, business continuity and succession planning in consultation with HR.
  •  Policies and Standards
    • Reinforces IM/IT core policies and standards from a risk management perspective;
  • Compliance Monitoring
    • Ensures compliance with the IM/IT core policies and standards;
  • Advice
    • Ensures that information technology plans address human resource requirements in terms of job design, training and working environment;

Security:

  • Protects information holdings in all physical, electronic, and digital formats commensurate with its value and sensitivity at all stages in the life cycle of the asset to preserve the confidentiality, integrity, availability, intended use and value of all records;
  • Identifies and categorizes information and physical assets based on the degree of risk and potential impact (none, low, medium, high);

Also:

  • Being the single point of contact for information incidents;
  • Being a member of cross-organization IM/IT forums;
  • Ensuring that the Information Incident Management Process is followed for all actual or suspected information incidents;
  • Ensuring information security reviews and audits are supported by business areas; 
  • Ensuring asset inventories and inventory reviews are implemented by business areas;
  • Ensuring that the business area risks do not increase corporate risk.

Chief Information Security Officer (CISO)

  • Establish an Information Security Program to manage and co-ordinate information security activities across the organization;
  • Providing leadership on methodologies and processes for information security;
  • Establishing a cross organization information security forum;
  • Identifying security controls required to enable service delivery and documenting those controls in the Information Security Policy, standards and guidelines;
  • Providing security-related technical architecture advice to planning and development groups;
  • Promoting information security education, training and awareness throughout the organization;
  • Identifying significant threats and exposures associated with the security of information and physical assets; 
  • Ensuring the Information Incident Management Process is followed for all suspected or actual information incidents including the loss of physical IT assets;
  • Evaluating information received during and after an information security incident;
  • Implementing performance measurement processes for security controls;
  • Ensuring information security activities are in compliance with the Information Security Policy;
  • Identifying responses to remediate activities that are not in compliance with policies, standards or best practices;
  • Co-ordinating the implementation of information security controls;
  • Recommending appropriate actions in response to identified information security incidents and initiating audits where necessary; and,
  • Building relationships with stakeholder and partner organizations including suppliers and other peers to assist in maintaining the Information Security Program. The Information Security Program provides the security foundation necessary to protect information assets by:
    • Establishing an information security architecture for standard security controls across the organization;
    • Defining organizational roles and responsibilities for information security;
    • Developing and reviewing the Information Security Policy;
    • Monitoring and measuring the implementation of the Information Security Policy; and,
    • Developing and delivering a program to maintain information security awareness.

Information Security Officer

  • Knowing the Information Security Policy requirements and communicating them within their business areas;
  • Assisting business areas to understand and be in compliance with the Information Security Policy;
  • Ensuring that standards/procedures to support day-to-day security activities are documented in compliance with the Information Security Policy;
  • Co-ordinating information security awareness and education activities and resources;
  • Providing up-to-date information on issues related to information security;
  • Facilitating business areas with conducting Security Threat and Risk Assessments;
  • Ensuring that each information system has a current System Security Plan;
  • Providing advice on security requirements for information systems development or enhancements;
  • Co-ordinating information security initiatives with cross-organization information security initiatives;
  • Providing advice on emerging information security standards relating to business area specific lines of business; and,
  • Raising security issues to the cross-organization information security forum.

Executive / Director / Manager / Supervisor

  • Expected to promote information security initiatives within their business areas and support the information security activities of the Information Security Program published by the Chief Information Officer;
  • Ensuring terms and conditions of employment are agreed to by employees prior to employment or provision of services, including signing the Oath of Employment and reading the Appropriate Use Policy and the Standards of Conduct;
  • Knowing and communicating information security policies and standards to employees;
  • Ensuring that employees are informed of their responsibilities regarding information security and privacy;
  • Ensuring that employees receive the necessary training on information security and have opportunities to participate in security awareness activities;
  • Ensuring that employee access to organization information resources is based on need-to-know and least privilege principles;
  • Reviewing employee access rights to information resources:
    • on a regular basis for all employees;
    • whenever there is a new employee;
    • whenever there is a change in employee roles and responsibilities.

Employee

  • All users of the organization’s information and information technology resources must take responsibility for, and accept the duty to, actively protect them;
  • Read about the appropriate use of corporate information and information technology resources as published in the Appropriate Use Policy;
  • Knowing, understanding, and complying with information security policies and standards;
  • Seeking guidance from their supervisors or Information Security Officers regarding questions on information security policies or other security concerns;
  • ​All actual or suspected information incidents must be reported immediately using the Information Incident Management Process.

Contractors

  • Contractors must adhere to the information security terms as defined by contract.

Vendors

From security controls in supplier agreements concerning supply chain security:

  • Understand information security requirements that apply to information systems and information technology product or service acquisitions;
  • Required to apply organization security requirements throughout their supply chain if the services are further subcontracted as a whole or in part;
  • Required to apply appropriate security practices throughout the supply chain for products that include components purchased from other suppliers;
  • Implement a monitoring process and acceptable methods for validating that delivered information and communication technology products and services are adhering to stated security requirements;
  • Implement a process for identifying product or service components that are critical for maintaining functionality and therefore require increased attention and scrutiny when built outside of the organization especially if the top tier supplier outsources aspects of product or service components to other suppliers;
  • Ensure that critical components and their origin can be traced throughout the supply chain;
  • Ensure that the delivered information and communication technology products are functioning as expected without any unexpected or unwanted features;
  • Adhere to the rules for sharing of information regarding the supply chain and any potential issues and compromises among the organization and suppliers; 
  • Implement specific processes for managing information and communication technology component life-cycle and availability and associated security risks. This includes managing the risks of components no longer being available due to suppliers no longer being in business or suppliers no longer providing these components due to technology advancements;
  • Software vendors and service providers must provide current data flow and network communication diagrams for critical systems and maintain the diagrams to reflect system changes;
  • Vendors or service providers that provide IT assets for ministry use must maintain an inventory of the devices they provide.