Information Security Responsibilities

From Bloomex Wiki
Revision as of 18:33, 2 September 2024 by Admin (talk | contribs) (Created page with "'''Information Security Committee''' The Information Security Committee at Bloomex provides oversight and advice regarding information systems security and privacy assurance. The committee is composed of subject matter experts in information security and assurance, designated by the Vice President/Chief Information Officer (CIO) of the IT Division. The committee's responsibilities include: * Developing, implementing, and maintaining a company-wide strategic information...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Information Security Committee

The Information Security Committee at Bloomex provides oversight and advice regarding information systems security and privacy assurance. The committee is composed of subject matter experts in information security and assurance, designated by the Vice President/Chief Information Officer (CIO) of the IT Division. The committee's responsibilities include:

  • Developing, implementing, and maintaining a company-wide strategic information security plan.
  • Establishing, enforcing, and maintaining security programs, guidelines, operating procedures, and technical standards.
  • Handling requests for program exceptions, advising on risk issues, and recommending appropriate actions to support Bloomex’s overall risk management strategy.
  • Ensuring compliance with relevant privacy, security, and administrative regulations, including those required by federal and local laws.
  • Ensuring proper risk mitigation and control processes for security incidents.

Information Owners

Division Vice Presidents or their designees are considered the Owners of information used in their respective areas. Every type of system information must have an Owner, who is responsible for:

  • Formulating job function profiles that determine access to Bloomex’s information.
  • Approving access and control privileges based on job functions and ensuring proper use of company information.
  • Selecting data retention periods and designating original data sources.
  • Employing necessary controls to protect information, including additional validation checks or frequent backups.
  • Defining acceptable quality limits for information, such as accuracy and timeliness.
  • Approving new uses or substantial enhancements of application systems before they go live.
  • Reviewing reports on system intrusions and other relevant events.

Owners must designate an alternative person to act on their behalf in their absence. Ownership responsibilities cannot be delegated to third-party organizations or individuals who are not full-time Bloomex employees.

Data Stewards (Application User Coordinators)

The immediate managers of employees, referred to as Data Stewards, are responsible for:

  • Reviewing and correcting security reports on user access to Bloomex’s information.
  • Authorizing new users and de-authorizing users whose job functions no longer require access.
  • Supervising the use of information by department employees under their control.
  • Promptly informing IT when an employee leaves Bloomex so that their system access can be revoked.

Data Custodians

Data Custodians are IT specialists such as database administrators, system administrators, and functional analysts who manage and protect information systems. Custodians are responsible for:

  • Following instructions from Information Owners while serving authorized users.
  • Defining technical options and systems architectures to meet Bloomex’s needs.
  • Safeguarding information by implementing access control systems and developing contingency plans.
  • Providing reports to Owners about information system operations and security issues.

Information Users

Information Users at Bloomex fall into two categories: General Users and Departmental Data Users (employees, contractors, and consultants with internal access). All Users are required to:

  • Follow all security requirements established by Owners, implemented by Data Stewards and Custodians, and set by the IT Security Department.
  • Complete information security awareness training.
  • Request access through their immediate manager and report suspicious activity or security problems.

Enterprise IT Security Department

The Enterprise IT Security Department is the central point of contact for all information security matters at Bloomex. The department's responsibilities include:

  • Administering access controls.
  • Monitoring the security of information systems.
  • Providing information security training and awareness programs.
  • Reporting on the current state of information security at Bloomex through annual risk analysis and remediation reports.
  • Assisting with emergency response procedures and disaster recovery.
  • Organizing a computer incident response team to address security issues like virus infections, system breaches, and outages.

This version reflects the structure and culture of Bloomex while maintaining the integrity of the original document's guidelines.

Retrieved from "https://wiki.necs.ca/index.php?title=Information_Security_Responsibilities&oldid=4736"