https://wiki.owasp.org/api.php?action=feedcontributions&feedformat=atom&user=Patrick+SmileyOWASP - User contributions [en]2026-06-03T01:59:31ZUser contributionsMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Talk:Industry:Project_Review/NIST_SP_800-37r1_FPD_Appendix_D&diff=75304Talk:Industry:Project Review/NIST SP 800-37r1 FPD Appendix D2009-12-20T12:02:03Z<p>Patrick Smiley: /* D.11 INFORMATION SECURITY ARCHITECT */</p>
<hr />
<div>{| align="right"<br />
| __TOC__<br />
|}<br />
<br />
<big>APPENDIX D</big><br />
<br />
<big>'''ROLES AND RESPONSIBILITIES'''</big><br />
<br />
KEY PARTICIPANTS IN THE RISK MANAGEMENT PROCESS<br />
<br />
<br />
== D.1 HEAD OF AGENCY (CHIEF EXECUTIVE OFFICER) ==<br />
<br />
<br />
<br />
== D.2 RISK EXECUTIVE (FUNCTION) ==<br />
It seems that so far, no one role is specifically required or has the objective to define one or more organizational methods for risk calculation. From personal experience, it is too easy to ignore one risk set in deference for another because of professional unfamiliarity with the first. An objective risk calculation toolset defined by organizational management provides a framework for first identifying risk, then prioritizing the addressing of risks.<br />
<br />
== D.3 CHIEF INFORMATION OFFICER ==<br />
<br />
<br />
<br />
== D.4 INFORMATION OWNER/STEWARD ==<br />
<br />
<br />
<br />
== D.5 SENIOR INFORMATION SECURITY OFFICER ==<br />
<br />
<br />
<br />
== D.6 AUTHORIZING OFFICIAL ==<br />
<br />
<br />
<br />
== D.7 AUTHORIZING OFFICIAL DESIGNATED REPRESENTATIVE ==<br />
<br />
<br />
<br />
== D.8 COMMON CONTROL PROVIDER ==<br />
<br />
<br />
<br />
== D.9 INFORMATION SYSTEM OWNER ==<br />
<br />
<br />
<br />
== D.10 INFORMATION SYSTEM SECURITY MANAGER/OFFICER ==<br />
<br />
<br />
<br />
== D.11 INFORMATION SECURITY ARCHITECT ==<br />
Placing the Information Security Architect at the level of system-specific personnel, but ascribing to the position "requirements to protect the organization's core mission and business processes" is a grave mistake. This is confusing in that the System Owner and ISSO duties are specific to the level of the system with an eye toward the overall organization/agency/nation. This description needs to be re-addressed to better discuss the role at the system level.<br />
<br />
== D.12 INFORMATION SYSTEM SECURITY ENGINEER ==<br />
<br />
<br />
<br />
== D.13 SECURITY CONTROL ASSESSOR ==<br />
<br />
<br />
<br />
==Footnotes==<br />
<br />
<br />
<br />
<br />
[[Category:GIC-NISTSP80037r1FPD]]</div>Patrick Smileyhttps://wiki.owasp.org/index.php?title=Talk:Industry:Project_Review/NIST_SP_800-37r1_FPD_Appendix_D&diff=75303Talk:Industry:Project Review/NIST SP 800-37r1 FPD Appendix D2009-12-20T11:42:42Z<p>Patrick Smiley: /* D.2 RISK EXECUTIVE (FUNCTION) */</p>
<hr />
<div>{| align="right"<br />
| __TOC__<br />
|}<br />
<br />
<big>APPENDIX D</big><br />
<br />
<big>'''ROLES AND RESPONSIBILITIES'''</big><br />
<br />
KEY PARTICIPANTS IN THE RISK MANAGEMENT PROCESS<br />
<br />
<br />
== D.1 HEAD OF AGENCY (CHIEF EXECUTIVE OFFICER) ==<br />
<br />
<br />
<br />
== D.2 RISK EXECUTIVE (FUNCTION) ==<br />
It seems that so far, no one role is specifically required or has the objective to define one or more organizational methods for risk calculation. From personal experience, it is too easy to ignore one risk set in deference for another because of professional unfamiliarity with the first. An objective risk calculation toolset defined by organizational management provides a framework for first identifying risk, then prioritizing the addressing of risks.<br />
<br />
== D.3 CHIEF INFORMATION OFFICER ==<br />
<br />
<br />
<br />
== D.4 INFORMATION OWNER/STEWARD ==<br />
<br />
<br />
<br />
== D.5 SENIOR INFORMATION SECURITY OFFICER ==<br />
<br />
<br />
<br />
== D.6 AUTHORIZING OFFICIAL ==<br />
<br />
<br />
<br />
== D.7 AUTHORIZING OFFICIAL DESIGNATED REPRESENTATIVE ==<br />
<br />
<br />
<br />
== D.8 COMMON CONTROL PROVIDER ==<br />
<br />
<br />
<br />
== D.9 INFORMATION SYSTEM OWNER ==<br />
<br />
<br />
<br />
== D.10 INFORMATION SYSTEM SECURITY MANAGER/OFFICER ==<br />
<br />
<br />
<br />
== D.11 INFORMATION SECURITY ARCHITECT ==<br />
<br />
<br />
<br />
== D.12 INFORMATION SYSTEM SECURITY ENGINEER ==<br />
<br />
<br />
<br />
== D.13 SECURITY CONTROL ASSESSOR ==<br />
<br />
<br />
<br />
==Footnotes==<br />
<br />
<br />
<br />
<br />
[[Category:GIC-NISTSP80037r1FPD]]</div>Patrick Smiley