Page 8 - Information_Security_Program
P. 8

SECURITY LEADERSHIP [DP210]
        Back to Table of Contents

        Scope: Enterprise (all GESM)
        Distribution: Executive Leadership Team, Director of Information Technology, Privacy and Data Security
        Purpose: To define security leadership responsibilities in the organization.
        External Regulation or Standard: 45 CFR 164.308(a)(2) ‐ Assigned Security Responsibility

         Who is Responsible    Statement     Policy, Standard, or Procedure Statement
                                Number
         Director of             DP210.1     Members of the  Executive Leadership Team and any others may function as the
         Information                         Privacy and Data Security Steering Committee.
         Technology, Privacy
         and Data Security
         Director of             DP210.2     The Privacy and Data Security Steering Committee shall determine the level of risk
         Information                         the organization is willing to accept regarding its information security. It will normally
         Technology, Privacy                 determine this level through the information‐security policies and expenditures it
         and Data Security                   approves and does not approve.
         Director of             DP210.3     The Privacy and Data Security Steering Committee shall meet at least annually, and
         Information                         as needed.
         Technology, Privacy
         and Data Security
         Director of Information   DP210.4   The Director of Information Technology, Privacy and Data Security shall be
         Technology, Privacy                 responsible for implementing the direction of the Data Security Steering Committee,
         and Data Security                   including:

         Director of Information   DP210.5   • Maintaining and enforcing information security policies and proposing new policies
         Technology, Privacy                 as defined in DP211 – SECURITY POLICIES;
         and Data Security
         Director of Information   DP210.6   • Developing, implementing, and enforcing information‐security standards and
         Technology, Privacy                 procedures;
         and Data Security
         Director of Information   DP210.7   • Identifying threats to the organization's information
         Technology, Privacy
         and Data Security
         Director of Information   DP210.8   • Identifying data privacy, security, and retention regulatory obligations of the
         Technology, Privacy                 organization;
         and Data Security
         Director of Information   DP210.9   • Managing the organization’s security training and awareness program as specified in
         Technology, Privacy                 DP221 – SECURITY TRAINING AND AWARENESS;
         and Data Security
         Director of Information   DP210.10   • Managing the organization's response to suspected data security incidents; and
         Technology, Privacy
         and Data Security
         Director of Information   DP210.11   • Externally representing the organization on the topic of information security as
         Technology, Privacy                 needed.
         and Data Security, CEO
         and Chief Marketing
         Officer
         Director of Information   DP210.12   The Director of Information Technology, Privacy and Data Security shall maintain a
         Technology, Privacy                 proficiency in information‐security expertise and access appropriate legal advice
         and Data Security                   where needed.

                                                                                                          6| P a g e
        GES CONFIDENTIAL
   3   4   5   6   7   8   9   10   11   12   13