ABSTRACT
In a holistic view, information security is a triad of people, process, and technology. Appropriate technology must be combined with management support, understood requirements, clear policies, trained and aware users, and plans and processes for its use. This chapter focuses on roles and responsibilities for performing the job of information security. It introduces the functional components of information security, from a role and responsibility perspective, along with several other IT and business functional roles. Information security is much more than a specialized function; it is everyone’s responsibility in any organization. In an era of budget challenges for the information security functions, the educated and committed end user is an information security force multiplier for defense-in-depth. John Weaver, in an essay, “Zen and Information Security,” recommends turning people into assets. Information security functions fall into five main categories — policy/strategy/governance, engineering, disaster recovery/business continuity, crisis management and incident response/investigation, and administrative/operational.
