The topic of information security is a shared responsibility of all employees and should therefore be part of the corporate culture. The following parties are primarily responsible for information security:
-
CEO & Board of Directors: They are responsible for information security as part of the overall strategy of a company.
-
CIO or CTO: As managers for infrastructure and IT systems, they are usually responsible for the information security department.
-
Chief Information Security Officer (CISO)/ Information Security Officer (ISO): Responsible for monitoring and implementing information security measures and processes in the company. A CISO can also coordinate other ISOs and works closely with other departments such as risk management and data protection.
-
Asset owners: They are responsible for their assets and carry out an analysis to identity protection needs, conduct risk management processes and implement regular tasks defined in policies, e.g. an annual authorisation certification according to the identity and access management (IAM) policy.
-
All other employees: All employees should be aware of the topic of information security. They should e.g. know and comply with the permissible use of resources, comply with their confidentiality obligations and be able to apply information classifications.