| ๐ผ 11 Definition of information security-related roles and responsibilities is typically achieved through a combination of role statements, policy statements, reporting lines and charters of governing bodies. Common governing bodies and individuals with decision-making, approval, oversight, operations and other information security roles and responsibilities typically include: | 8 | | | |
| ย ย ย ย ๐ผ 11a information security steering/oversight committee. | | | | |
| ย ย ย ย ๐ผ 11b risk management committee (Board and management levels). | | | | |
| ย ย ย ย ๐ผ 11c Board audit committee. | | | | |
| ย ย ย ย ๐ผ 11d executive management/executive management committee. | | | | |
| ย ย ย ย ๐ผ 11e chief information officer (CIO)/IT manager. | | | | |
| ย ย ย ย ๐ผ 11f chief information security officer (CISO)/IT security manager. | | | | |
| ย ย ย ย ๐ผ 11g information security operations/administration. | | | | |
| ย ย ย ย ๐ผ 11h management (business and IT). | | | | |
| ๐ผ 12 Information security roles and responsibilities are typically located in separate business areas, as well as within the IT function itself and in third parties and related parties. This can result in issues such as a lack of ownership, unclear accountabilities, ineffective oversight and fragmentation of practices with respect to information security. APRA regulated entities could address these issues by maintaining clear delineation between the responsibilities of each area and implementing compensating measures. Compensating measures could include establishing a virtual security group comprised of individuals with information security roles and responsibilities. | | | | |