Senior Management has the right and responsibility:
- To be informed about security risks to the organization’s critical assets, their potential business impacts, and to be timely informed about changes to the security risk picture.
- To be informed about the organization’s security risk mitigation options including their costs and business impacts.
- To set or approve the organization’s security objectives, priorities and strategies.
- To approve or amend security high-level policies and planning.
- To approve or amend large-scale security programs and projects.
- To provide visible support for the approved security objectives, strategies and policies, and their related security initiatives.
- To be accurately informed about the current state and rationale of corporate asset protection and legal and regulatory compliance.
- To keep ownership accurately informed about the current state and rationale of corporate asset protection, and legal and regulatory compliance.
- To be accurately informed about current and projected security costs.
- To be timely informed about security incidents, their actual and potential business impacts, and the organizational response actions planned and under way.
- To establish a Chief Security Officer or other senior security executive position to lead and manage the organization’s security functions. (In a small organization this responsibility may be assigned to an executive or manager with other non-security responsibilities.)
- To see that security is implemented as an ongoing process, by means of a security framework or a security management system that incorporates continuous process improvement.
(Note: Senior Management means the senior executives of the organization such as the Chief Executive Officer, Chief Operating Officer, Chief Financial Officer, Chief Risk Officer and anyone in charge of a principal business unit or function.)