# Organizational Roles and Responsibilities * ***Security role*** * Part an individual plays in the overall scheme of security implementation and administration within an organization ## Security Roles * ***Senior Manager*** * Assigned to the person who is ultimately responsible for the security maintained by an organization * Most concerned about the protection of its assets * Must sign off on all policy issues * They will be the ones held liable for the overall success or failure of a security solution * Responsible for exercising due care and due diligence in establishing security for an organization * They rarely implement security solutions * ***Security Professional*** * Assigned to a trained and experienced network, systems and security engineer * Responsible for following the directives mandated by senior management * Functional responsibility for security, this includes writing and implementing the security policy * They do not make decisions, that is the job of the senior manager * ***Data Owner*** * Assigned to the person who is responsible for classifying information for placement and protection within the security solution * Often a high-level manager who is ultimately responsible for data protection * ***Data Custodian*** * Assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and senior management * Performs all activities needed to provide adequate protection for the CIA triad * Performing and testing backups * Validating data integrity * Deploying security solutions * Managing data storage based on classification * ***User*** * Any person who has access to the secure system * Access is limited so they only have enough access to perform the tasks necessary for their job position (PoLP) * Responsible for understanding and upholding the security policy of an organization * ***Auditor*** * Responsible for reviewing and verifying that the security policy is properly implemented and the derived security solutions are adequate * Produces compliance and effectiveness reports that are reviewed by the senior manager