3- Security Roles
Specific roles and responsibilities for information security should be defined in an organization’s security policy.
Security roles include:
1- Job descriptions
2- Individual positions
3- Third party contracts and other cases.
These roles and responsibilities should apply to employees, consultants and contractors And they should apply to all levels of staff.
4- Control Tools
Organizations adopt a control framework to aid in their legal and regulatory compliance efforts. Some examples of relevant security frameworks include:
5- Due Care
Due care provides a standard for determining negligence. In the world of information security, due care relates to the steps that individuals or organizations take to perform their duties and implement security best practices.
If an organization fails to follow a standard of due care in the protection of its assets, the organization may be held culpably negligent. In such cases the organization’s insurance company may be required to pay only a portion of any loss.
6- Due Diligence
Due diligence, is execution of due care. In the context of information security, due diligence commonly refers to risk identification and risk management practices.
The concepts of due care and due diligence are related but distinctly different. For example, in practice, due care is turning on logging; due diligence is regularly reviewing the logs.