3.1.4 Cyber Security Roles and Responsibilities

No: 381000091275

Date(g): 24/5/2017 | Date(h): 28/8/1438

Status: In-Force

Principle

Responsibilities to implement, maintain, support and promote cyber security should be defined throughout the Member Organization. Additionally, all parties involved in cyber security should understand and take their role and responsibilities.

Objective

To ensure that relevant stakeholders are aware of the responsibilities with regard to cyber security and apply cyber security controls throughout the Member Organization.

Control considerations

1.	The Board of Directors has the ultimate responsibility for cyber security, including:
	a.	ensuring that sufficient budget for cyber security is allocated;
	b.	approving the cyber security committee charter;
	c.	endorsing (after being approved by the cyber security committee):
		1.	the cyber security governance;
		2.	the cyber security strategy;
		3.	the cyber security policy.
2.	The cyber security committee should be responsible for:
	a.	monitoring, reviewing and communicating the Member Organization's cyber security risk appetite periodically or upon a material change in the risk appetite;
	b.	reviewing the cyber security strategy to ensure that it supports the Member Organization objectives;
	c.	approving, communicating, supporting and monitoring:
		1.	the cyber security governance;
		2.	the cyber security strategy;
		3.	the cyber security policy;
		4.	cyber security programs (e.g., awareness program, data classification program, data privacy, data leakage prevention, key cyber security improvements);
		5.	cyber security risk management process;
		6.	the key risk indicators (KRIs) and key performance indicators (KPIs) for cyber security.
3.	The senior management should be responsible for:
	a.	ensuring that standards, processes and procedures reflect security requirements (if applicable);
	b.	ensuring that individuals accept and comply with the cyber security policy, supporting standards and procedures when they are issued and updated;
	c.	ensuring that cyber security responsibilities are incorporated in the job descriptions of key positions and cyber security staff.
4.	The CISO should be responsible for:
	a.	developing and maintaining:
		1.	cyber security strategy;
		2.	cyber security policy;
		3.	cyber security architecture;
		4.	cyber security risk management process;
	b.	ensuring that detailed security standards and procedures are established, approved and implemented;
	c.	delivering risk-based cyber security solutions that address people, process and technology;
	d.	developing the cyber security staff to deliver cyber security solutions in a business context;
	e.	the cyber security activities across the Member Organization, including:
		1.	monitoring of the cyber security activities (SOC monitoring);
		2.	monitoring of compliance with cyber security regulations, policies, standards and procedures;
		3.	overseeing the investigation of cyber security incidents;
		4.	gathering and analyzing threat intelligence from internal and external sources;
		5.	performing cyber security reviews;
	f.	conducting cyber security risk assessments on the Members Organization's information assets;
	g.	proactively supporting other functions on cyber security, including:
		1.	performing information and system classifications;
		2.	determining cyber security requirements for important projects;
		3.	performing cyber security reviews.
	h.	defining and conducting the cyber security awareness programs;
	i.	measuring and reporting the KRIs and KPIs on:
		1.	cyber security strategy;
		2.	cyber security policy compliance;
		3.	cyber security standards and procedures;
		4.	cyber security programs (e.g., awareness program, data classification program, key cyber security improvements).
5.	The internal audit function should be responsible for:
	a.	performing cyber security audits.
6.	All Member Organization's staff should be responsible for:
	a.	complying with cyber security policy, standards and procedures.

Soft Launch