Answer
Yes, it is true that an information system cannot be secured by the sole effort of the system administrator or manager. Each and every stakeholders of the system has equal responsibilities and duties regarding the security of the system. So, it is imperative that individual roles, responsibilities and authority are clearly communicated and understood by all. The duties and responsibilities of stakeholders are specified as:
• Executive manager: Assigned overall responsibility for the security of information
• Information systems security professional: responsible for the design, implantation management and review of the organization security policy, standards measure practices and procedures
• Data Owners: responsible for determining sensitivity or classification levels of the data as well as maintaining accuracy and integrity of the data resident on the information system.
• Process Owners: responsible for ensuring that appropriate security, consistent with the organizations security policy, is embedded in their information systems.
• Technology providers: responsible for assisting with the implementation of information security
• Users: Responsible for following the procedures set out in the organization’s security policy
Information system auditors: responsible for providing independent assurance to management on the appropriateness of the security objectives and on whether the security policy, standards, practices and procedures are appropriate and comply with the organizations security objectives.