Defining Roles and Responsibilities

The establishment of clear roles and responsibilities is a critical success factor for any risk management program due to the requirement for cross-group interaction and segregated responsibilities. The following table describes the primary roles and responsibilities used throughout the Microsoft security risk management process.

Table 3.3 Primary Roles and Responsibilities in the Microsoft Security Risk Management Process

Title

Primary Responsibility

Executive Sponsor

Sponsors all activities associated with managing risk to the business, for example, development, funding, authority, and support for the Security Risk Management Team. This role is usually filled by an executive such as the chief security officer or chief information officer. This role also serves as the last escalation point to define acceptable risk to the business.

Business Owner

Is responsible for tangible and intangible assets to the business. Business owners are also accountable for prioritizing business assets and defining levels of impact to assets. Business owners are usually accountable for defining acceptable risk levels; however, the Executive Sponsor owns the final decision incorporating feedback from the Information Security Group.

Information Security Group

Owns the larger risk management process, including the Assessing Risk and Measuring Program Effectiveness phases. Also defines functional security requirements and measures IT controls and the overall effectiveness of the security risk management program.

Information Technology Group

Includes IT architecture, engineering, and operations.

Security Risk Management Team

Responsible for driving the overall risk management program. Also responsible for the Assessing Risk phase and prioritizing risks to the business. At a minimum, the team is comprised of a facilitator and note taker.

Risk Assessment Facilitator

As lead role on the Security Risk Management Team, conducts the data gathering discussions. This role may also lead the entire risk management process.

Risk Assessment Note Taker

Records detailed risk information during the data gathering discussions.

Mitigation Owners

Responsible for implementing and sustaining control solutions to manage risk to an acceptable level. Includes the IT Group and, in some cases, Business Owners.

Security Steering Committee

Comprised of the Security Risk Management Team, representatives from the IT Group, and specific Business Owners. The Executive Sponsor usually chairs this committee. Responsible for selecting mitigation strategies and defining acceptable risk for the business.

Stakeholder

General term referring to direct and indirect participants in a given process or program; used throughout the Microsoft security risk management process. Stakeholders may also include groups outside IT, for example, finance, public relations, and human resources.

The Security Risk Management Team will encounter first-time participants in the risk management process who may not fully understand their roles. Always take the opportunity to provide an overview of the process and its participants. The objective is to build consensus and highlight the fact that every participant has ownership in managing risk. The following diagram, which summarizes key participants and shows their high-level relationships, can be helpful in communicating the previously-defined roles and responsibilities and should provide an overview of the risk management program.

To summarize, the Executive Sponsor is ultimately accountable for defining acceptable risk and provides guidance to the Security Risk Management Team in terms of ranking risks to the business. The Security Risk Management Team is responsible for assessing risk and defining functional requirements to mitigate risk to an acceptable level. The Security Risk Management Team then collaborates with the IT groups who own mitigation selection, implementation, and operations. The final relationship defined below is the Security Risk Management Team's oversight of measuring control effectiveness. This usually occurs in the form of audit reports, which are also communicated to the Executive Sponsor.

Why Vibrant? Course Fees FAQ Contact US Testimonials Site map links Home Index 270 290 291 293 294 298 299 Sec+ 801 routing 811 821 831. MCSE boot camp, Vibrant MCSE Boot Camp, UK, MCSE Boot Camp, USA, MCSE Boot Camp, Japan, MCSE Boot Camp, boot camps, MCSE Boot camp training, MCSE boot camp server, MCSE boot camp Microsoft, MCSE boot camp 2003, MCSE boot camp UK, MCSE boot camp India, MCSE boot camp USA, MCSE boot camp San Mateo, MCSE boot camp California, MCSE boot camp CA, MCSE boot camp security, MCSE boot camp exam, MCSE boot camp school, MCSE boot camp windows, MCSE boot camp vibrant, CCNA boot camp, Guaranteed CCNA boot camp provider, CCNA boot camp certification, CCNA boot camp training, CCNA boot camp UK, CCNA boot camp USA, CCNA boot camp San Mateo, CCNA boot camp California, CCNA boot camp CA, CCNA bootcamp exam, CCNA bootcamp school, CCNA bootcamp best, CCNA bootcamp, CCNP boot camp, Guaranteed CCNP boot camp provider, CCNP boot camp certification, CCNP boot camp training, CCNP boot camp UK, CCNP boot camp India, CCNP boot camp San Mateo, CCNP bootcamp California, CCNP boot camp CA, CCNP bootcamp exam, CCNP bootcamp school, CCNP bootcamp vibrant, MCSE bootcamp, Guaranteed MCSE bootcamp provider, MCSE Bootcamp certification, MCSE Bootcamp training, MCSE Bootcamp server, MCSE Bootcamp Microsoft, MCSE Bootcamp 2003, MCSE Bootcamp UK, MCSE Bootcamp India, MCSE Bootcamp USA, MCSE Bootcamp San Mateo, MCSE Bootcamp California, MCSE Bootcamp CA, MCSE Bootcamp security, MCSE Bootcamp exam, MCSE Bootcamp school, MCSE Bootcamp longest, MCSE Bootcamp easy, MCSE Bootcamp best, MCSE Bootcamp windows, MCSE Bootcamp vibrant