Skip to main content

Roles and responsibilities

Below are the typical roles in a software project and security responsibilities. These can be adjusted based on the context of each institution and size and complexity of the software project.

Role

Responsibilities

Steering Committee

       the Steering Committee provides project leadership to ensure the successful delivery of the project and is accountable for approval of key security deliverables and milestones.

       the Steering Committee also ensures security roles and responsibilities have been established for the project and adequate resources are provided for security activities on the project

System Owner and users

The system owner is responsible for the system and its operations and maintenance. Key security responsibilities include:

 

       provide input on the security classification of information that will be managed by the system

       provides input to the threat and risk assessment based on threats and risks pertaining to operations

       ensures users attend required security training

Project Manager

The Project Manager has the authority to run the project on a day-to-day basis and is responsible for ensuring that all project activities are delivered within the agreed constraints of cost, time, risk, resource, quality, and scope. The Project Manager should ensure security activities and deliverables are included in the project plan and are part of the acceptance process for each stage

Security expert

The Security expert is the subject matter expert on all security tasks. This role may be performed in-house or by an external expert (or a combination of both) to complement the project team. Key responsibilities include:

       ensures that all key stakeholders have a common understanding of security concepts

       advice on the security classification of the system based on the nature of information and provide the high-level security requirements that needs to be fulfilled as per the security classification

       performs threat and risk assessment

       lead definition and review of security requirements

       review vendor proposals against security requirements for externally procured software

       security review of the system design and architecture with inputs from stakeholders

       lead the security testing activities including source code review, application testing, vulnerability assessments and penetration testing

       follow up on addressing identified vulnerabilities

       carries out continuous security reviews during operations stage

       consulted on software changes that may have a significant security impact

Developer

The Developer is responsible for developing the system and is often consulted on the technical feasibility of a system requirement. This role may be performed by the vendor if the project is outsourced. Key responsibilities include:

       consulted on the design, architecture and coding standards to be aligned against secure practices

       provide inputs to the threat and risk assessment related to systems development

       ensures security controls and requirements are implemented during development

       participates in source code security review and addressing recommendations

       makes approved system changes

System Administrator

The System Administrator is responsible for the day-to-day operations of the commissioned system. Key responsibilities include:

       provides input to the threat and risk assessment on threats and risk pertaining to operations and systems administration.

       provide input on the software security requirements

       reviews vendor proposals against security requirements for externally procured software

       provide input on security review of the system design and architecture

       maintains security configurations, assigns and maintains user access based on role,

       implements authorized security updates and patches

       execute the system/application changes to the production environment upon approval of the change

       responsible for ensuring continuous monitoring such as vulnerability scanning and performing security reviews/ self- assessments.

       Responsible for the disposal plan, which includes the selection of the archival method to archive important and classified information. The System Administrator is also responsible to ensure that archived information is marked and handled according to its information classification

 
Back to top