Information custodian — The information custodian, usually an information systems person, is the delegate of the Information Owner with primary responsibilities dealing with backup and recovery of the business information. Responsibilities include the following:

•  Perform backups according to the backup requirements established by the Information Owner.

•  When necessary, restore lost or corrupted information from backup media to return the application to production status.

•  Perform related tape and DASD management functions as required to ensure availability of the information to the business.

•  Ensure record retention requirements are met based on the Information Owner’s analysis.

Application owner — Manager of the business unit who is fully accountable for the performance of the business function served by the application. Responsibilities include the following:

•  Establish user access criteria and availability requirements for their applications.

•  Ensure the security controls associated with the application are commensurate to support the highest level of information classification used by the application.

•  Perform or delegate the following:

—  Day-to-day security administration.

—  Approval of exception access requests.

—  Appropriate actions on security violations when notified by security administration.

—  The review and approval of all changes to the application prior to being placed into the production environment.

—  Verification of the currency of user access rights to the application.

User manager — The immediate manager or supervisor of an employee. They have ultimate responsibility for all user IDs and information assets owned by company employees. In the case of nonemployee individuals such as contractors, consultants, etc. this manager is responsible for the activity and for the company assets used by these individuals. This is usually the manager responsible for hiring the outside party. Responsibilities include the following:

•  Inform security administration of the termination of any employee so that the user ID owned by that individual can be revoked, suspended or made inaccessible in a timely manner.

•  Inform security administration of the transfer of any employee if the transfer involves the change of access rights or privileges.

•  Report any security incident or suspected incident to Information Security.

•  Ensure the currency of user ID information such as the employee identification number and account information of the user ID owner.

•  Receive and distribute initial passwords for newly created user IDs based on the manager’s discretionary approval of the user having the user ID.

•  Educate employees with regard to security policies, procedures, and standards to which they are accountable.

Security administrator — Any company employee who owns a user ID which has been assigned attributes or privileges which are associated with access control systems, such as ACF2, Top Secret, or RACF. This user ID allows them to set system-wide security controls or administer user IDs and information resource access rights. These security administrators may report to either a business division or Information Security within Information Systems. Responsibilities include the following:

•  Understanding the different data environments and the impact of granting access to them.

•  Ensuring access requests are consistent with the information directions and security guidelines.

•  Administering access rights according to criteria established by the Information Owners.

•  Creating and removing user IDs as directed by the User Manager.

•  Administering the system within the scope of their job description and functional responsibilities.

•  Distributing and following up on security violation reports.

•  Sending passwords of newly created user IDs to the manager of the user ID owner only.

Security analyst — Person responsible for determining the data security directions (strategies, procedures, guidelines) to ensure information is controlled and secured based on its value, risk of loss or compromise, and ease of recoverability. Duties include the following:

•  Provide data security guidelines to the information management process.

•  Develop basic understanding of the information to ensure proper controls are implemented.

•  Provide data security design input, consulting and review.

Change control analyst — Person responsible for analyzing requested changes to the I/T infrastructure and determining the impact on applications. This function also analyzes the impact to the data bases, data-related tools, application code, etc.