procedures governing the agency’s handling of personal information. 3.9 Common Control Provider The Common Control Provider is an individual, group, or organization responsible for the development, implementation, assessment, and monitoring of common controls (i.e. security
NIST SP 800-12 R EV . 1 A N I NTRODUCTION TO I NFORMATION S ECURITY 16 This publication is available free of charge from: controls inherited by systems). Responsibilities include, but are not limited to: • Documenting the organization-identified common controls in a security plan (or equivalent document prescribed by the organization); and • Ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence defined by the organization. 3.10 System Owner The System Owner is an organizational official responsible for the procurement, development, integration, modification, operation, maintenance, and disposal of a system. Responsibilities include, but are not limited to: • Addressing the operational interests of the user community (i.e., users who require access to the system to satisfy mission, business, or operational requirements); • Ensuring compliance with information security requirements; and • Developing and maintaining the system security plan and ensuring that the system is deployed and operated in accordance with the agreed-upon security controls. 3.11 System Security Officer (SSO) The System Security Officer is responsible for ensuring that an appropriate operational security posture is maintained for a system and as such, works in close collaboration with the system owner. Responsibilities include, but are not limited to: • Overseeing the day-to-day security operations of a system; and • Assisting in the development of the security policies and procedures and ensuring compliance with those policies and procedures. 3.12 Information Security Architect The Information Security Architect is an individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture, including reference models, segment and solution models, and the resulting systems supporting those missions and business processes. Responsibilities include, but are not limited to: • Serving as the liaison between the enterprise architect and the information security engineer; and • Coordinating with system owners, common control providers, and system security officers on the allocation of security controls as system-specific, hybrid, or common controls.