ISMS - Roles and responsibilities

Owned by Stian Jonson
Last updated: jun. 01, 2023
5 min read

Table of Contents

In accordance with the Personal Data Act, the CEO of Conexus is responsible for the use and processing of personal data in Conexus.

The Processing of personal data in Conexus is a line management responsibility. Product Owners and System Owners are given a special responsibility for specific applications and Key Business process Owners for the key business processes.

The CEO has delegated to CISO to keep the ISMS operational, up to date and assist the security organisation to continuously improve.

Conexus' security organization consists of various roles described below. The security organization shall ensure that Conexus safeguards the security of information, personal data or sensitive personal data in all administration of, processing of and access to such data.

The assignment for the roles is based on Norwegian legislation, and Conexus' own interest in safeguarding Conexus' business, our values, our reputation and our obligations in accordance with privacy legislation, contracts and the like.

The term "security officer" can be used for the following roles / individuals.

Role descriptions/responsibilities

Role

Role descriptions/responsibilities

Role

Role descriptions/responsibilities

Managers

 

The Processing of personal data in Conexus is a line responsibility.

Managers are responsible for all information 1, processes and systems within their responsibility area. Tasks might be delegated to:

  • Product or System owners for Product or System

  • Key Business Process owners for KBPs

1 This includes unstructured information in Office 365 (documents, email, Teams, SharePoint etc.), in file-shares, in cloud services, Confluence department areas, SOME, Homepages, and so forth.

 

Chief Information Security Officer (CISO)

Overall responsible for the operation of ISMS.

Perform the periodic tasks to maintain the Information Security Management System and document in Controlling documents.

  • Leads the development, documentation and maintenance of the guidelines for information security (ISMS), procedures and standards across departments.

  • Identify, develop, implement and maintain security-related processes that reduce the organization's operational risk.

  • Develop and implement security-related guidelines.

  • Check compliance with regulations.

  • Protect your privacy for employees and customers

  • Lead the company's response team at data security-related incidents.

  • Supervisor on access control.

  • Develop and control the organization's security architecture.

  • Prepare disaster recovery (DR) and continuity plans for the business.

  • Develop access policies for corporate systems.

  • Develops awareness of security by leading the development of briefings and training programs.

  • Routinely monitors and evaluates all procedures and guidelines for information security, and ensures uniform internal controls across departments.

  • Follows changes in local, regional and national regulations, as well as accreditation standards that affect information security, and provides recommendations to the Privacy Ombudsman and other managers on the need for changes to guidelines.

Information Security Architect (ISA)

Architect for information security has the following main responsibilities:

  • Architect for security strategy for applications

  • Architect for security strategy for cloud-based web platform

  • Works with development and operations teams to implement security strategies

  • Works with development and operational groups in connection with tactical security solutions when needed

  • Provides guidance as a security consultant when implementing new technology

  • Responsible for security checks performed by third parties

  • Conducts risk analyzes to identify potential safety issues

  • Tracks safety results and progress in case of error correction

  • Will stay up to date on the latest developments in both security and hacking

  • Determines security requirements by evaluating business strategies and requirements, checks information security standards, conducts analyzes and risk assessments of system security and vulnerability, studies architecture / platform, identifies integration issues and prepares cost estimates.

  • Designs security systems by evaluating networks and security technologies, develops requirements for local area networks (LANs), WANs, virtual private networks (VPNs), routers, firewalls and related security and networking devices, designs public key infrastructure (PKI), including use of certification bodies (CAs) and digital signatures, as well as hardware and software and ensure that industry standards are followed.

  • Implements security systems by specifying methodology and equipment for burglary detection, determines installation and calibration of equipment and software, prepares preventive and reactive measures, stores, transfers and maintains keys, provides technical user support and completes documentation.

  • Controls security systems by developing and implementing test scripts.

  • Maintains safety by monitoring and ensuring that standards, guidelines and procedures are followed, conducts incident response analyzes, and develops and implements training programs.

  • Upgrades security systems by monitoring security environment, identifying security holes and evaluating and implementing improvements.

  • Prepares system security reports by collecting, analyzing and summarizing data and trends.

  • Updates work knowledge by tracking and understanding new practices and standards for safety, attending courses, reading industry literature, maintaining personal networks and participating in professional organizations.

  • Improves the reputation of the department and the organization by taking ownership of new and different requests, and explores opportunities to add value to work performance.

  • Be responsible for safety of operations if necessary.

  • To minimize risks, develop guidelines that will encourage safe work routines and protect data.

Information Security Manager (ISM)

Assessment

The information security manager assesses the organization's security measures, such as firewalls, antivirus software, and passwords, to identify vulnerabilities that could lead to information systems becoming vulnerable to attack.

Can perform simulated attacks to test the effectiveness of security measures.

Prioritizes security coverage to ensure that strategically important data, such as commercial information or personal information, has the best possible level of security.

Guidelines

Gives employees and managers different access to the company's data based on roles and work tasks according to corporate policies.

Also provides training to employees, explains security risks and demonstrates pattern practices, such as using strong passwords and protecting data when using mobile devices outside the office.

Surveillance

Develops procedures and automated processes to monitor the status of computers and networks. If the monitoring system detects abnormal behavior patterns, one should respond quickly to find the cause and eliminate any threats.

Analyzes reports generated by the monitoring system to identify trends that may indicate a future risk.

Meets the objectives of operating system security by contributing information and recommendations to strategic plans and evaluations, preparing and completing action plans, implementing standards for production, productivity, quality and customer service, conducting audits, identifying trends, determining system improvements and implementing changes.

Meets the financial requirements for system security by means of forecasts, prepares an annual budget, plans expenses, analyzes deviations and takes the initiative for corrective measures.

Protects computer assets by developing security strategies, leading development of system control and access management, monitoring, control and evaluation.

Conducts emergency preparedness tests.

Leads the preparation and maintenance of plans for disaster recovery of information systems and continuity for the business. Must include deployment and maintenance of workstations and server backup systems

Advice to CISO by identifying critical safety issues, recommending solutions to reduce risks.

Provides an overview and takes ownership of burglary detection and response.

DPO

https://gdpr-info.eu/art-39-gdpr/