Link Search Menu Expand Document
NIST SP 800-12

3 Roles and Responsibilities

  1. 3.1 Risk Executive Function (Senior Management)
  2. 3.2 Chief Executive Officer (CEO)
  3. 3.3 Chief Information Officer (CIO)
  4. 3.4 Information Owner/Steward
  5. 3.5 Senior Agency Information Security Officer (SAISO)
  6. 3.6 Authorizing Official (AO)
  7. 3.7 Authorizing Official Designated Representative
  8. 3.8 Senior Agency Official for Privacy (SAOP)
  9. 3.9 Common Control Provider
  10. 3.10 System Owner
  11. 3.11 System Security Officer (SSO)
  12. 3.12 Information Security Architect
  13. 3.13 System Security Engineer (SSE)
  14. 3.14 Security Control Assessor
  15. 3.15 System Administrator
  16. 3.16 User
  17. 3.17 Supporting Roles

The following chapter outlines specific organizational roles and their respective responsibilities. Clearly defined roles and responsibilities help the organization and its employees work in a more efficient manner by designating who is responsible for performing certain tasks. In a large organization, this will help by ensuring that no task is overlooked. In a small, less structured organization, the workload can be more evenly distributed as an employee may be required to take on more than one task.

The list provided below is not intended to be a comprehensive list of all the possible roles within an organization. Each organization may define their own specific roles or have a different naming convention based on their mission or organizational structure. However, the basic functions remain the same. For a more detailed description of the responsibilities assigned to each role, see Appendix D in NIST SP 800- 37.

3.1 Risk Executive Function (Senior Management)

The Risk Executive Function is an individual or group (e.g., board members, CEO, CIO) within an organization responsible for ensuring that: (i) risk-related considerations for individual systems are viewed from an organization-wide perspective, taking into consideration the overall strategic goals of the organization in carrying out its core missions and business functions, and (ii) the management of system-related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other types of risks in order to ensure mission/business success.

Responsibilities include, but are not limited to:

  • Defining a holistic approach to addressing risk across the entire organization;
  • Developing an organizational risk management strategy;
  • Supporting information-sharing amongst authorizing officials and other senior leaders within the organization; and
  • Overseeing risk management related activities across the organization.

3.2 Chief Executive Officer (CEO)

The Chief Executive Officer is the highest-level senior official or executive in an organization with the overall responsibility to provide information security protections commensurate with the risk and magnitude of harm (i.e. impact) to organizational operations assets, individuals, other organizations, and the Nation that may result from unauthorized access, use, disclosure, disruption, modification, or destruction of: (i) information collected or maintained by or on behalf of the organization; and (ii) systems used or operated by an agency, or by a contractor of an agency, or another organization on behalf of an agency.

Responsibilities include, but are not limited to:

  • Ensuring the integration of information security management processes with strategic and operational planning processes;
  • Making sure that the information and systems used to support organizational operations have proper information security safeguards; and
  • Confirming that trained personnel are complying with related information security legislation, policies, directives, instructions, standards, and guidelines.

3.3 Chief Information Officer (CIO)

The Chief Information Officer is an organizational official responsible for: (i) designating a senior agency information security officer; (ii) developing and maintaining security policies, procedures, and control techniques to address all applicable requirements; (iii) overseeing personnel with significant responsibilities for information security and ensuring that personnel are adequately trained; (iv) assisting senior organizational officials with their security responsibilities; and (v) in coordination with other senior officials, reporting annually on the overall effectiveness of the organization’s information security program, including progress of remedial actions.

Responsibilities include, but are not limited to:

  • Allocating resources dedicated to the protection of the systems supporting the organization’s mission and business functions;
  • Ensuring that systems are protected by approved security plans and are authorized to operate; and
  • Making sure that there is an organization-wide information security program that is being effectively implemented.

3.4 Information Owner/Steward

The Information Owner/Steward is an organizational official with statutory, management, or operational authority for specified information who is responsible for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal.

Responsibilities include, but are not limited to:

  • Establishing the rules for the appropriate use and protection of the subject information; and
  • Providing input to system owners regarding the security requirements and security controls needed to adequately protect the subject information.

3.5 Senior Agency Information Security Officer (SAISO)

The Senior Agency Information Security Officer is an organizational official responsible for: (i) carrying out the chief information officer security responsibilities under FISMA; and (ii) serving as the primary liaison between the chief information officer and the organization’s authorizing officials, system owners, common control providers, and system security officers. In some organizations, this role might also be known as the Chief Information Security Officer (CISO).

Responsibilities include, but are not limited to:

  • Managing and implementing an organization-wide information security program; and
  • Assuming the role of authorizing official designated representative or security control assessor when needed.

3.6 Authorizing Official (AO)

The Authorizing Official is a senior official or executive with the authority to formally assume responsibility for operating a system at an acceptable level of risk to organizational operations and assets, individuals, and other organizations.

Responsibilities include, but are not limited to:

  • Approving security plans, memorandums of agreement or understanding, plans of action and milestones, as well as determining whether significant changes in the system or environments of operation require reauthorization; and
  • Ensuring that authorizing official designated representatives carry out all activities and functions associated with security authorization.

3.7 Authorizing Official Designated Representative

The Authorizing Official Designated Representative is an organizational official who acts on behalf of an authorizing official to coordinate and conduct the required day-to-day activities associated by the security authorization process. The designated representative carries out the functions of the AO, but cannot accept risk for the system.

Responsibilities include, but are not limited to:

  • Carrying out the duties of the Authorizing Official as assigned;
  • Making decisions with regard to planning and resourcing of the security authorization process, approval of the security plan, approving and monitoring the implementation of plans of action and milestones, and the assessment and/or determination of risk; and
  • Preparing the final authorization package, obtaining the authorizing official’s signature on the authorization decision document, and transmitting the authorization package to appropriate organizational officials.

3.8 Senior Agency Official for Privacy (SAOP)

The Senior Agency Official for Privacy is a senior organizational official who has the overall responsibility and accountability for ensuring the agency’s implementation of information privacy protections, including the agency’s full compliance with federal laws, regulations, and policies relating to information privacy, such as the Privacy Act.

Responsibilities include, but are not limited to:

  • Overseeing, coordinating, and facilitating the agency’s privacy compliance efforts;
  • Reviewing the agency’s information privacy procedures to ensure that they are comprehensive and up-to-date; and
  • Ensure the agency’s employees and contractors receive appropriate training and education programs regarding the information privacy laws, regulations, policies, and procedures governing the agency’s handling of personal information.

3.9 Common Control Provider

The Common Control Provider is an individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls (i.e. security controls inherited by systems).

Responsibilities include, but are not limited to:

  • Documenting the organization-identified common controls in a security plan (or equivalent document prescribed by the organization); and
  • Ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence defined by the organization.

3.10 System Owner

The System Owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of a system.

Responsibilities include, but are not limited to:

  • Addressing the operational interests of the user community (i.e., users who require access to the system to satisfy mission, business, or operational requirements);
  • Ensuring compliance with information security requirements; and
  • Developing and maintaining the system security plan and ensuring that the system is deployed and operated in accordance with the agreed-upon security controls.

3.11 System Security Officer (SSO)

The System Security Officer is responsible for ensuring that an appropriate operational security posture is maintained for a system and as such, works in close collaboration with the system owner.

Responsibilities include, but are not limited to:

  • Overseeing the day-to-day security operations of a system; and
  • Assisting in the development of the security policies and procedures and ensuring compliance with those policies and procedures.

3.12 Information Security Architect

The Information Security Architect is an individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution models, and the resulting systems supporting those missions and business processes.

Responsibilities include, but are not limited to:

  • Serving as the liaison between the enterprise architect and the information security engineer; and
  • Coordinating with system owners, common control providers, and system security officers on the allocation of security controls as system-specific, hybrid, or common controls.

3.13 System Security Engineer (SSE)

The System Security Engineer is an individual, group, or organization responsible for conducting system security engineering activities.

Responsibilities include, but are not limited to:

  • Designing and developing organizational systems or upgrading legacy systems; and
  • Coordinating security-related activities with information security architects, senior agency information security officers, system owners, common control providers, and system security officers.

3.14 Security Control Assessor

The Security Control Assessor is an individual, group, or organization responsible for conducting a comprehensive assessment of the managerial, operational, and technical security controls and control enhancements employed within or inherited by a system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system).

Responsibilities include, but are not limited to:

  • Providing an assessment to identify weaknesses or deficiencies in the system and its environment of operation;
  • Recommending corrective actions to address identified vulnerabilities; and
  • Preparing a security assessment report containing the results and findings from the assessment.

3.15 System Administrator

The System Administrator is an individual, group, or organization responsible for setting up and maintaining a system or specific components of a system.

Responsibilities include, but are not limited to:

  • Installing, configuring, and updating hardware and software;
  • Establishing and managing user accounts;
  • Overseeing backup and recovery tasks; and
  • Implementing technical security controls.

3.16 User

The User is an individual, group, or organization granted access to organizational information in order to perform assigned duties.

Responsibilities include, but are not limited to:

  • Adhering to policies that govern acceptable use of organizational systems;
  • Using the organization-provided IT resources for defined purposes only; and
  • Reporting anomalies or suspicious system behavior.

3.17 Supporting Roles

  • Auditor. Auditors are responsible for examining systems to determine: (i) whether the system is meeting stated security requirements and organization policies; and (ii) whether security controls are appropriate. Informal audits can be performed by those operating the system under review or by impartial third-party auditors.
  • Physical Security Staff. The physical security office is responsible for developing and enforcing appropriate physical security controls, often in consultation with information security management, program and functional managers, and others. Physical security addresses central system installations, backup facilities, and office environments. In the government, this office is often responsible for processing personnel background checks and security clearances.
  • Disaster Recovery/Contingency Planning Staff. Some organizations have a separate disaster recovery/contingency planning staff. In such cases, the staff is typically responsible for contingency planning for the entire organization and works with program and functional managers/application owners, the information security staff, and others to obtain additional contingency planning support, as needed.
  • Quality Assurance Staff. Many organizations have established a quality assurance program to improve the products and services they provide to their customers. The quality assurance staff should have a working knowledge of information security and how it can be used to enhance the quality of the program (e.g., ensuring the integrity of computer-based information, the availability of services, and the confidentiality of customer information).
  • Procurement Office Staff. The procurement (or acquisitions) office is responsible for ensuring that organizational procurements have been reviewed by appropriate officials. While the procurement office staff lacks the technical expertise to guarantee that goods and services meet information security expectation, it should nevertheless be knowledgeable of information security standards and should bring potential information security issues to the attention of those requesting such technology.
  • Training Office Staff. The organization determines whether the primary responsibility for training users, operators, and managers in information security rests with the training office or the information security program office. In either case, the two organizations should work together to develop an effective training program.
  • Human Resources. The Human Resource office is often the first point-of-contact for managers who require assistance in determining whether or not a security background investigation is necessary for a particular position. The human resources and security offices generally work closely on issues involving background investigations. The human resources office may also be responsible for security-related exit procedures when employees leave an organization.
  • Risk Management/Planning Staff. Some organizations employ a full-time staff devoted to analyzing all manner of risks to which the organization may be exposed. Although this office normally focuses on organizational risk issues, it should also consider information security-related risks. Risk analyses for specific systems are not typically performed by this office.
  • Physical Plant Staff. This office is responsible for ensuring the provision of the services necessary for the safe and secure operation of an organization’s systems (e.g., electrical power and environmental controls). The office is often augmented by separate medical, fire, hazardous waste, or life safety personnel.
  • Privacy Office Staff. This office is responsible for maintaining a comprehensive privacy program that ensures compliance with applicable privacy requirements, develops and evaluates privacy policy, and manages privacy risks. This office includes a Senior Authorizing Official for Privacy, privacy compliance and risk assessment specialists, legal specialists, and other professionals focused on managing privacy risks, and particularly with respect to this publication those that may arise from information security measures.