| Governance & Policy |
Defines security policies, standards, and minimum requirements aligned to business goals and regulations. |
Supports leadership and business units in applying policies to day-to-day operations. |
| Risk Management |
Identifies, assesses, and reports security risks to the business. Maintains the risk register and risk treatment approach. |
Supports business owners in accepting, mitigating, or transferring risks. |
| Asset Management |
Defines what information and systems must be identified, classified, and protected. |
Relies on IT and business teams to maintain accurate asset inventories. |
| Identity & Access Management (IAM) |
Defines access control principles, roles, and approval requirements. |
Supports IT and application owners in implementing access controls and reviews. |
| Infrastructure & Application Security |
Defines security requirements for systems, networks, and applications. Reviews security posture and exceptions. |
Supports IT and development teams in secure configuration, patching, and secure design. |
| Incident Response |
Owns the incident response process, escalation paths, and communication requirements. |
Works with IT, legal, HR, and business teams during incidents and recovery. |
| Third-Party Risk |
Defines security requirements for vendors and assesses third-party risk. |
Supports procurement and legal teams during vendor selection and contract reviews. |
| Awareness & Training |
Defines security awareness objectives and training requirements. |
Supports HR and managers in delivering training and reinforcing secure behavior. |