Cissp: Layers Of Responsibility, Personnel Security
board of directors
|
group of individuals who are elected by the shareholders
of a corporation to oversee the fulfillment of the corporation’s charter |
|
chief executive officer (CEO)
|
has the day-to-day management responsibilities of an organization.This person is often the chairperson of the board of directors and is the highestranking
officer in the company. |
|
chief financial officer (CFO)
|
responsible for the corporation’s account and
financial activities and the overall financial structure of the organization. |
|
chief information officer (CIO)
|
responsible for the strategic use and management of information systems and technology within the organization.
|
|
chief privacy officer (CPO)
|
responsible for ensuring that customer, company, and employee data
are kept safe, which keeps the company out of criminal and civil courts and hopefully out of the headlines |
|
chief security officer (CSO)
|
responsible for understanding the risks that the
company faces and for mitigating these risks to an acceptable level. responsible for understanding the organization’s business drivers and for creating and maintaining a security program that facilitates these drivers, along with providing security, compliance with a long list of regulations and laws, and any customer expectations or contractual obligations. |
|
security steering committee
|
responsible for making decisions on tactical and
strategic security issues within the enterprise as a whole and should not be tied to one or more business units. The group should be made up of people from all over the organization so they can view risks and the effects of security decisions on individual departments and the organization as a whole |
|
audit committee
|
should be appointed by the board of directors to help it review and
evaluate the company’s internal operations, internal audit system, and the transparency and accuracy of financial reporting so the company’s investors, customers, and creditors have continued confidence in the organization. |
|
Data owner
|
Individual responsible for the protection and
classification of a specific data set. |
|
Data custodian
|
Individual responsible for implementing and
maintaining security controls to meet security requirements outlined by data owner. |
Separation of duties
|
Preventive administrative control used to ensure
one person cannot carry out a critical task alone. |
|
Collusion
|
Two or more people working together to carry out
fraudulent activities. |
|
Rotation of duties
|
Detective administrative control used to uncover
potential fraudulent activities |
|
Mandatory vacation
|
Detective administrative control used to uncover
potential fraudulent activities by requiring a person to be away from the organization for a period of time. |