You are on page 1of 8

Security Governance Organizational Structure Template

Introduction: How to Use This Template


A security governance organizational structure assigns and defines the roles and responsibilities of different
members in the organization regarding security. It helps provide a clear definition of responsibilities and corporate
interactions, and helps ensure owners are accountable.
To use this template, replace the text in dark grey with information customized to your organization. When
complete, delete all introductory or example text and convert all remaining text to black prior to distribution.
This document is intended for use as guidance, and should be used in accordance with your enterprises legal
and compliance environment.

Security Organization Reporting Structure


High maturity security organization reporting structure:
CISO reporting to the CEO directly

Chief Executive
Officer

Chief Chief
Information Information
Security Officer Officer

Audit Information Risk Committee


Committee Security Chaired by Risk IT Department
Chaired by the Manager Manager
Head of Audit

Policy and Security Site Security


Compliance Administration Teams

Security Information
Operations Asset Owners

Risk &
Resiliency Security Guards
Management

Facilities
Management

1
Info-Tech Research Group
Medium maturity security organization reporting structure:
CISO reporting to CIO

Chief Executive
Officer

Chief Information
Officer

Chief Information
Security Officer

Security Site Security


Administration Teams

Security Information Asset


Prevention
Operations Owners

Resiliency
Detection Security Guards
Management

Response and Facilities


Risk Management
Recovery Management

Policy and
Compliance

2
Info-Tech Research Group
Low maturity security organization reporting structure:
Security Manager reporting to CIO

Chief Executive Officer

Chief Information
Officer

Information Security
Manager

Security Operations Security Administration

Prevention

Detection

Response and
Recovery

Information Security Responsibilities


The RACI tool is used to identify and avoid confusion in roles and responsibilities during a project. The acronym
stands for:
Responsible - The person(s) who does the work to accomplish the activity; they have been tasked with
completing the activity, and/or getting a decision made.
Accountable - The person(s) who is accountable for the completion of the activity. Ideally, this is a single
person and is often an executive or program sponsor.
Consulted - The person(s) who provides information. This is usually several people, typically called
subject matter experts (SMEs).
Informed - The person(s) who is updated on progress. These are resources that are affected by the
outcome of the activities and need to be kept up-to-date.
Executive Officer
Board/Chief

VP, IT

Directors/VP)
Owners (Business
Information

Services
Director, IT Central

EA
Development and
Director, Software

CISO

& Compliance
Manager, Security

Services
Director, Technical

Director, HR

Management
Director, Facility

Contractors
All Employees &

Context and Leadership

3
Info-Tech Research Group
Establish security
organizational structure
A C - C C R R C - - -
Establish and implement
security charter (mandate)
I C I C C A R C - - -
Build and implement security
awareness program
A C - C C R R C - - -
Evaluation and Direction
Establish and implement
security policies
I I I R R A R C R I I
Establish and implement risk
management program
C C C C C A R C C C -
Build and implement
information security strategy
C C C C C A R C C C -
Provide resources to support
security initiatives
C C R R R A R R R R -
Compliance, Audit, and Review
Conduct security compliance
management
I C C C C A R I C - -
Commission and conduct
independent audit
I I R R R A R I R - -
Conduct internal security
audit
I I R R R A R I R - -
Conduct management review R R R R R A R R - -
Security Prevention
Conduct security operation
management
I C - C C A R C - - -
Design and implement identity
and access management
I I C R C A R I I I I
Design and implement
hardware asset management
I I C R C A R I I I I
Design and implement data
and privacy security
I I C R C A R I I I I
Design and implement
network security
I I I R C A R I I I I
Design and implement
endpoint security
I I I R C A R I I I I
Design and implement
malicious code management
- I - R C A R - - - -
Design and implement
application security
I I I R C A R I I I I
Design and implement
vulnerability management
- I - R C A R - - - -
Design and implement
cryptography management
- - - I R A R I I I I
Design and implement
physical security
I I I R C A R I I I I
Establish and implement HR
security
I I I R C A R I R I I
Design and implement
configuration and change - - - I R A C C - - I
management
Vendor management I I I R C A R I I I I
Design and implement cloud
security
I I C C C A R C I I I
Security Detection
Conduct security threat
monitoring and detection
- I - R - A R - - - -
Design and conduct log and
event management
- I - R - A R - - - -
Security Response & Recovery

4
Info-Tech Research Group
Conduct incident response I I I R I A R I I I I
Conduct security forensics I I I R I A R I I I I
Conduct eDiscovery I I I R I A R I I I I
Design and implement
backup and recovery
I I I R C A R I I I I
Design and implement
InfoSec in BCM
C C C C C A R C C C I
Measurement Program
Build and implement security
measurement program
C C C C C A R C C C I

Continuous improvement C C C C C A R C C C I
Legend:
A Accountable
R Responsible
C Consulted
I Informed

Here is a list of possible initiatives, tasks, or responsibilities to be included in your RACI chart:
Establish an appropriate senior security steering committee
Ensure that information security adequately supports and sustains business objectives
Submit new information security projects with significant impact to governing body
Develop and implement information security strategy and charter
Align information security objectives with business objectives
Promote a positive information security culture
Select appropriate performance metrics from a business perspective
Provide feedback on information security performance results to the governing body, including
performance of action previously identified by governing body and their impacts on the organization
Alert the governing body of new developments affecting information risks and information security
Advise the governing body of any matters that require its attention and, possibly, decision
Instruct relevant stakeholders on detailed actions to be taken in support of the governing bodys directives
and decisions
Support the audit, reviews, or certifications commissioned by governing body
Develop and implement security policies
Review security policies
Establish risk management methodology and conduct security risk assessment and treatment
Design and implement security controls from process, people, and technology perspectives based on the
result of risk assessment
Conduct security threats and events monitoring
Conduct security configuration and maintenance
Conduct security incident response
Conduct security compliance management
Provide security services such as access provisioning and de-provisioning
Support internal and external audit
Support project from security perspective
Information security co-ordination, contact with authorities and special interest groups
Support BCM from security perspective
Promote security awareness campaign
Establish security metrics program and conduct the metrics monitoring and reporting
Conduct management review of security overall status
Ensure security is being continuously improved

5
Info-Tech Research Group
Security Steering Committee
A security steering committee provides direction and guidance to the security program and its strategies. The
main benefit of a steering committee is that it solicits feedback from other parties or ensures there is a formalized
approval process so things may get done in a timely manner. A collaborative approach must be taken for the
committee to work properly and generate the required outputs.
Security steering committees can have varying levels of maturity defined by who is on it and who they report to.
For example:
Low maturity would be only IT and security staff reporting to senior management.
Medium maturity would be IT and security staff plus other internal services (such as legal, audit,
compliance, or finance) and reporting to senior management
High maturity would be IT and security staff, other internal services, business unit/business group
leaders, and senior management

Example Security Steering Committee:


The Board of Directors (the Board) is ultimately accountable for corporate governance as a whole. The
management and control of information security risks is an integral part of corporate governance. The Board
delegates accountability for security governance matters to the Security Steering Committee (SSC). The SSC is
comprised of senior leadership members including Legal, COO, CFO, HR, and CIO. The SSC is chaired jointly by
the CEO and the CISO. The SSC delegates responsibility for information security operations to the CISO and the
security program staff. The CISO and the security program staff are responsible for establishing an information
security framework to include policies and best practices.

The SSC demonstrates its commitment to information security by:


Determining the organizations risk appetite
Evaluating and approving the security charter and strategy
Allocating adequate investment and resources
Providing high-level oversight of security initiatives
Ensuring information security considerations take into account business initiatives
Prioritizing security initiatives as recommended by the CISO and the security program staff
Notifying the Board and external stakeholders of the current security posture
Communicating the importance of information security

Multiple Security Steering Committees


Consider having an executive security steering committee and a working security steering committee. The
executive or senior steering committee would be responsible for various high-level review and approval functions
with ultimate accountability, whereas the working steering committee would carry out the actual initiatives and
hold responsibility. Senior committee members can cycle through the working committee if the organizational
culture allows it.
Example:
The Board of Directors (the Board) is ultimately accountable for corporate governance as a whole. The
management and control of information security risks is an integral part of corporate governance. The Board
delegates accountability for security governance matters to the Senior Security Leadership Team (SSLT). The
SSLT is comprised of senior leadership members including Legal, COO, CFO, HR, and CIO. The SSLT delegates
responsibility for information security operations to the Working Security Steering Committee (WSSC). The WSSC
are responsible for establishing an information security framework to include policies and best practices.
The SSLT demonstrates its commitment to information security by:
Determining the organizations risk appetite

6
Info-Tech Research Group
Evaluating and approving the security charter and strategy
Allocating adequate investment and resources
Providing high-level oversight of security initiatives
Ensuring information security considerations take into account business initiatives
Prioritizing security initiatives as recommended by the CISO and the security program
Notifying the Board and external stakeholders of the current security posture

The WSSC demonstrates its commitment to information security by:


Establishing and aligning the security charter, objectives, and strategy
Developing and maintaining security framework of policies and best practices
Integrating the information security program into organizational processes
Communicating the importance of information security
Achieving the information security program objectives
Effectively enforcing approved information security framework in a supported structure
Promoting continual improvement

Management Commitment to Information Security


Example:
The Board of Directors (the Board) is ultimately accountable for corporate governance as a whole. The
management and control of information security risks is an integral part of corporate governance. In practice,
however, the Board explicitly delegates executive responsibilities for most governance matters to the Executive
Directors (Security Governing Body), led by the Chief Executive Officer (CEO).
The Executive Directors give overall strategic direction by approving and mandating the information security
principles and axioms, but delegate operational responsibilities for information security to the Senior Security
Steering Committee (SSSC) chaired by the Chief Information Security Officer (CISO).
The Executive Directors depend heavily on the SSSC to coordinate activities throughout the organization,
ensuring that suitable policies are in place to support the organizations security principles and axioms. The
Executive Directors also rely on feedback from the SSSC, CISO, ISM, auditors, Risk Management, Compliance,
Legal, and other functions to ensure that the principles, axioms, and policies are being complied with in practice.
The Executive Directors (Governing Body) demonstrate their commitment to information security by:

Directing
Determine the organizations risk appetite
Approve security charter and strategy
Allocate adequate investment and resources

Evaluating:
Business initiatives take into account information security considerations
Respond to and evaluate security monitoring results; prioritize and initiate actions

Monitoring
Assess the effectiveness of information security management activities
Ensure conformance with internal/external requirements
Consider the changing business, legal, and regulatory environment and their potential impact on
information risk

Communication

7
Info-Tech Research Group
Recognize regulatory obligations, stakeholders expectations, and business requirements with respect to
information security
Notify management of the results of any external reviews of security
Report to external stakeholders that the organization practices a level of information security
commensurate with the nature of its business

Assurance
Commission independent and objective opinions of how it is complying with its accountability for the
desired level of information security

_____________________________________________________

For acceptable use of this template, refer to Info-Tech's Terms of Use. These documents are intended to supply
general information only, not specific professional or personal advice, and are not intended to be used as a
substitute for any kind of professional advice. Use this document either in whole or in part as a basis and guide for
document creation. To customize this document with corporate marks and titles, simply replace the Info-Tech
information in the Header and Footer fields of this document.

8
Info-Tech Research Group