malfeasance. This requires the security officer to be extremely
            ethical, honest, thorough, and committed to protecting the
            confidentiality of an investigation. Many investigations may
            require the use of skills that a security officer may not have.
            This would need the employment of experts that can provide the
            advice and skills needed to investigate the incident accurately.


            Physical Security Personnel

            Physical security is the most visible element of the security
            infrastructure. Physical security personnel play an essential role
            in protecting buildings, managing access, and responding to
            physical security incidents. Physical security personnel are often
            subcontractors or supervised by a shared service provider that
            provides physical security services to many tenants in a
            building. An organization should ensure that physical security
            personnel can be trusted, are doing their jobs properly, and are
            enforcing the access control rules according to the procedures
            they have been given. All too often, an organization has found
            that the physical security they were paying for was not adequate.
            Security personnel are subject to social engineering or are lax in
            enforcing the rules. Security personnel should be adequately
            trained in how to deal with incidents.



            System Owner
            The system owner is one of the most important but poorly
            understood roles in the security program. This stems from the
            misconception that IT "owns" the IT systems and data that the
            organization uses. That is an incorrect understanding. The IT
            systems are "owned" by the business unit that pays for and relies
            on them. For example, a finance system that handles accounts