is responsible for exercising due care and due diligence in establishing security for an organiza- tion. Even though senior managers are ultimately responsible for security, they rarely imple- ment security solutions. In most cases, that responsibility is delegated to security professionals within the organization. Security professional The security professional, information security officer, InfoSec officer, or CIRT Computer Incident Response Team role is assigned to a trained and experienced net- work, systems, and security engineer who is responsible for following the directives mandated by senior management. The security professional has the functional responsibility for security, for writing the security policy and implementing it. The role of security professional can be labeled as an ISIT function role. The security professional role is often filled by a team that is responsible for designing and implementing security solutions based on the approved security policy. Security professionals are not decision makers; they are implementers. All decisions must be left to the senior manager. Data owner The data owner role is assigned to the person who is responsible for classi- fying information for placement and protection within the security solution. The data owner is typically a high-level manager who is ultimately responsible for data protection. However, the data owner usually delegates the responsibility of the actual data-manage- ment tasks to a data custodian. Data custodian The data custodian role is assigned to the user who is responsible for the tasks of implementing the prescribed protection defined by the security policy and upper manage- ment. The data custodian performs all activities necessary to provide adequate protection for the CIA of data and to fulfill the requirements and responsibilities delegated from upper man- agement. These activities can include performing and testing backups, validating data integrity, deploying security solutions, and managing data storage based on classification. User The user end user or operator role is assigned to any person who has access to the secured system. A user’s access is tied to their work tasks and is limited so they have only enough access to perform the tasks necessary for their job position principle of least privilege. Users are responsible for understanding and upholding the security policy of an organization by fol- lowing prescribed operational procedures and operating within defined security parameters. Auditor Another role is that of an auditor. An auditor is responsible for testing and verifying that the security policy is properly implemented and the derived security solutions are adequate. The auditor role may be assigned to a security professional or a trained user. The auditor pro- duces compliance and effectiveness reports that are reviewed by the senior manager. Issues dis- covered through these reports are transformed into new directives assigned by the senior manager to security professionals or data custodians. However, the auditor is listed as the last or final role since the auditor needs users or operators to be working in an environment as the source of activity to audit and monitor. All of these roles serve an important function within a secured environment. They are useful for identifying liability and responsibility as well as for identifying the hierarchical management and delegation scheme.