The
information security department is responsible for writing policies, creating
awareness training, tracking compliance, and generally leading the data
security program at an organization. But when it comes down to it, we are not
the ones who do most of the practicing. The ground-level implementation of
security in the organization simply cannot be the work of a few information
security employees; it needs to be performed by every employee in their day to
day tasks.
The
information security team is responsible for the creation of the policies and
standards. This is the framework that a security program is built on. By using
a well-tested framework we can ensure that our organization’s security needs
are adequately documented. The policies are critical, but they are only the
framework. To flesh out the program we need the actual implementation, and
that’s where the rest of the staff comes in.
