For security to be effective, it is necessary that roles, responsibilities and authorities are clearly communicated and understood by everyone in the com pany (IFAC 1998).
In addition, these roles and responsibilities should cover all aspects o f security, as well as the individual responsibilities o f all parties using the com pany’s IS (Hone and Eloff 2002). The DTI Inform ation Security Policy Team (DTI 2004b) indicated that responsibilities may vary according to the com pany’s size and nature i.e. some smaller businesses may not need a full-time information security manager, while large companies may need to employ a team to support the role o f a full-tim e information security manager. Consequently, every company has its own unique needs and must assign its own security functions in the most appropriate m anner to its employees.
However, the literature reveals that some academics and practitioners consider security as the responsibility o f employees at all levels in the company, while others
focus only on the role o f accountants in security. The OECD Guidelines for the Information Systems and Networks (OECD 2002) stated that all participants who develop, own, provide, manage and use IS and networks are responsible for these IS and networks’ security. Those participants should understand their security responsibility and should be accountable in a manner appropriate to their individual roles. They should also review their own policies, practices, m easures and procedures regularly and assess w hether they are appropriate to their environment.
In addition, the DTI Inform ation Security Policy Team (DTI 2004b) stated that all staff within the company should know who is nominated to fulfil the security roles and what their responsibilities are in this respect. For example, the CEO should provide management direction and support for information security and formally approve the com pany’s security policy; the information security policy ow ner should be responsible for the distribution and review o f the policy; the senior management should support and im plem ent the policy, and ensure staff are aware o f their responsibilities. In addition, the information security m anager should ensure that the security policy is properly im plem ented and the users should follow the security policy and procedures.
The IFAC International Information Technology Guidelines (IFAC 1998) added other responsibilities for security. For example:
- Data owners should classify data according to their sensitivity and should maintain the accuracy and integrity o f the data existing in the IS;
- Process owners should ensure that appropriate security, consistent with the company’s security policy, is embedded in their IS;
Technology providers should assist with the im plem entation o f information security; and
- IS auditors should provide independent assurance to m anagem ent on the appropriateness o f the security objectives, and whether security policy, standards, measures, practices and procedures are appropriate.
In addition, the Information Systems Audit and Control Association (IS AC A 2005) confirms that senior m anagem ent should communicate that every employee is accountable for inform ation security by ensuring that expectations are clearly
communicated in the com pany’s information security policies and dem onstrate that violations will not be tolerated. Pironti (2005) also stated that the C hief Information Security Officer is responsible for all elements o f the inform ation security program, establishing threat level for the entire company and also reporting to senior management.
From the above, it is clear that there are many security roles and responsibilities and these roles are now gaining more importance in the upper levels o f the company.
On the other hand, other studies have addressed the accountants’ security roles and responsibilities. Chandra and Calderson (2003) indicated that the accounting function is often charged with the responsibility o f securing organisational assets including information. Consequently, the accounting profession has developed various control frameworks that identify risks and security measures related to business information resources and other assets such as the Canadian Institute o f Chartered Accountants (CICA 1998), COBIT (2000) and SysTrust (AICPA 2002). These frameworks challenge the accounting profession to design and m aintain control systems in a manner that safeguards a com pany’s IS.
From the above, it seem s that the accountant’s responsibility for security extends beyond the accounting inform ation to include all com pany information, whether financial or non-fmancial.
Bagranoff et al. (2005) confirm ed this fact and argued that AIS now are concerned with non-financial as well as financial data and information. Consequently, accounting is a com pany’s primary producer and distributor o f many different types of information. Romney and Steinbart (2003) also stated that AIS prim ary objective is to assist management in the control o f a business organisation. Thus, the accountant can help achieve this objective by designing effective control systems and by auditing or reviewing the existing control systems to ensure their effectiveness. Consequently, management expects accountants to take a proactive approach in elim inating system threats, and to detect, correct, and recover from threats when they occur.
From the above, it is clear that accountants play a significant role in m aintaining the security not only o f AIS, but also for IS and the company as a whole. Accountants are important members o f the team that develops and modifies IS. In addition, Qureshi and Siegel (1997) stated that accountants must insist on security controls within their companies and on their recom m endations to clients. Accountants should be familiar with security risks and advise everyone in the company about those risks. Moreover, Davis (1997) suggested that accountants could work with systems designers to develop adequate security m easures as the technology evolves rather than waiting until the technology has been implemented. Accountants also could educate management and system users on all AIS security aspects.
Despite the important role o f accountants in AIS security, companies must ensure that employees at all levels and in every function receive an adequate security training and awareness, and that all parties (managers, employees and other users) understand the company-wide impact o f lax security.