NIH | National Cancer Institute | NCI Wiki  

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The role descriptions below, which can be used to identify appropriate staff to fulfill key roles, are based on definitions found in National Institute of Standards and Technology (NIST) Publication 800-37 Rev.1, Guide for Applying the Risk Management Framework to Federal Information Systems.

Information Owner (also known as the Business Owner)

The information owner, or business owner as he or she is sometimes called, is a federal official with the statutory, management, or operational authority to safeguard specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal. A single information system may contain information from multiple information or business owners, who provide input to IT-system owners regarding security requirements and controls.  The role of Information Owner/Business Owner is an inherently governmental one.

System Owner

The System Owner is an official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of an information system. System owners are also responsible for addressing the operational interests of the user community and for ensuring compliance with security requirements.

Information System Security Officer (ISSO)

The ISSO is the individual responsible for ensuring that the appropriate operational security posture is maintained for an information system and works in close collaboration with the IS owner. Security posture refers to the presence of effective security controls including technical, operational, and managerial that, together, ensure the system and its information are adequately protected against threats. The ISSO also serves as a principal advisor on matters involving security.

Security Control Assessor (SCA)

The SCA is an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls inside an information system to determine the overall effectiveness of the controls. SCAs can also assess severe weaknesses or deficiencies in the IS and its operational environment. They usually recommend ways to fix these problems.

...

  • preserving the unbiased nature of the assessment process
  • determining the credibility of security-assessment results
  • ensuring that authorizing officials receive the most objective information possible

Authorizing Official (AO)

An AO is a senior federal official with the authority to assume responsibility for operating an information system at an acceptable level of risk to organizational operations and assets, individuals, other organizations, or the country. AOs oversee budgets for information systems, and they may be responsible for the mission or business operations supported by a system. They are also accountable for the security risks associated with information-system operations.  AOs have primary responsibility for ensuring adequate resources (e.g., funding and staffing) are made available to address POA&M items. The role of AO is an inherently governmental one.