Talk:Industry:Project Review/NIST SP 800-37r1 FPD Appendix D

APPENDIX D

ROLES AND RESPONSIBILITIES

KEY PARTICIPANTS IN THE RISK MANAGEMENT PROCESS

D.1 HEAD OF AGENCY (CHIEF EXECUTIVE OFFICER)
[User: Ryan] Maybe I'm on an island with this comment, however, including Head of Agency (Chief Executive Officer) is wasted space. I realize gov't documents tend to live in a fantasy world but in my experience (gov't and private) CEOs rarely have this level of knowledge/involvement...plausible deniability. I suggest this section would be more realistic under the CIO section or turned into a CSO category.

D.2 RISK EXECUTIVE (FUNCTION)
It seems that so far, no one role is specifically required or has the objective to define one or more organizational methods for risk calculation. From personal experience, it is too easy to ignore one risk set in deference for another because of professional unfamiliarity with the first. An objective risk calculation toolset defined by organizational management provides a framework for first identifying risk, then prioritizing the addressing of risks.

[User: Ryan] Minor suggestion: move the last bullet point re: shared responsibility up one (to keep shared responsibility bullets together).

[User: Ryan] The sheer size of some of these sentences is painful. Although correct...it inevitably forces me to re-read them several times.

D.3 CHIEF INFORMATION OFFICER
[User: Ryan] Minor suggestion: In the first bullet point replace "adequate" with "commensurate". So the bullet point would read -- An organization-wide information security program is effectively implemented resulting in commensurate security for all organizational information systems and environments of operation for those systems;

D.4 INFORMATION OWNER/STEWARD
[User: Ryan] Minor suggestion: In the second sentence, replace "use" with "access, distribution,". So the sentence would read -- In information-sharing environments, the information owner/steward is responsible for establishing the rules for appropriate access, distribution, and protection of the subject information (e.g., rules of behavior) and retains that responsibility even when the information is shared with or provided to other organizations.

D.6 AUTHORIZING OFFICIAL
[User: Ryan] Include the last sentence from Authorizing Official Designated Representative into this section.

D.7 AUTHORIZING OFFICIAL DESIGNATED REPRESENTATIVE
[User: Ryan] I would delete this entire section. The only relatively useful byte of information is the last sentence...and that could easily be included in the Authorizing Official summary. If deleted do a search to tweak all references.

D.9 INFORMATION SYSTEM OWNER
[User: Ryan] Excellent (and correct) usage of i.e. and e.g. -- HUGE PET PEEVE OF MINE!!!

i.e. = that is

e.g. = for example

[User: Ryan] Minor suggestion. Slight modification to the wording within the parenthesis. "...and ensures that system users and support personnel receive the requisite security training (e.g., instructions on rules of behavior).

D.11 INFORMATION SECURITY ARCHITECT
Placing the Information Security Architect at the level of system-specific personnel, but ascribing to the position "requirements to protect the organization's core mission and business processes" is a grave mistake. This is confusing in that the System Owner and ISSO duties are specific to the level of the system with an eye toward the overall organization/agency/nation. This description needs to be re-addressed to better discuss the role at the system level.

[User: Ryan] I agree with the above statement.

[User: Ryan] Minor suggestion. In the last sentence change the last "and" to an "or". It should read -- "...related issues including, for example, establishing information system boundaries, assessing the severity of weaknesses and deficiencies in the information system, plans of action and milestones, risk mitigation approaches, security alerts, or potential adverse effects of identified vulnerabilities.