Responsibilities and Process

Responsibilities and Process

Copyright(c), 1995 - Management Analytics - All Rights Reserved


Department Level

The Director for Information Resources Management (IRM) is responsible for information while being processed and/or transmitted electronically, and for the security of the resources associated with these functions. The Director for IRM is the Designated Approving Authority (DAA) for all IT systems processing classified national security information within the Department. This authority cannot be delegated. The Director for IRM will monitor, evaluate and report, as required, to the Assistant Secretary for Administration on the status of IT security within the Department and the adequacy of operating unit IT Security programs. Within IRM, the authority to perform these responsibilities, except DAA for classified systems, will be exercised by the Departmental IT Security Manager.

The DOC IT Security Manager monitors, evaluates and reports, as required, to the Director for IRM on the status of IT security within the Department and the adequacy of the programs administered by the operating units. The DOC IT Security Manager will:

Operating Unit Level

User Level

The primary purpose of IT systems is to support the missions of using organizations. User management bears a great deal of responsibility for their systems and data. In addition to defining the functions to be performed by the system, and its security requirements, the user is directly responsible for the system resources, such as terminals and printers, located within the user areas. In order to assure adequate security within the user areas where these resources are located, user managers will appoint a user ITSSO to be responsible for the IT security within the user area. This individual is responsible for implementing and enforcing the security program at the user's location. The functions of the user ITSSO generally parallel those specified for the ITSSO.

Each employee of the Department is responsible for the adequate protection of IT resources within their control or possession and for abiding by all DOC IT security policies.