You should identify information security processes (from a gap analysis) and assets (from a risk assessment) that need an owner and allocate accordingly, documenting the fact. You may want to consider specifically and document it in the job descriptions of the individuals involved, mitigating a little risk along the way. The levels of authorisation should be documented and requisite skills should be attained and maintained in order to protect the processes governing security. You may well appoint a specific information security manager, but some of the responsibilities should be considered to be given to other responsible individuals particularly in areas of physical or technical security where skills may not necessarily be compatible and a degree of segregation may be beneficial.

Local owners of information assets should be defined too – just because there is a head if databases records in HQ, that might not be appropriate if they reside elsewhere and someone else is responsible for their backup.