The three lines of defense model is a framework that describes the roles and responsibilities of different functions in an organization for managing risks and controls.
The first line of defense is the operational management, which is responsible for implementing and maintaining effective controls, identifying and assessing risks, and reporting on risk and control performance.
The second line of defense is the risk management and compliance functions, which are responsible for establishing and overseeing the risk management framework, providing guidance and support to the operational management, and monitoring and reporting on risk and compliance issues.
The third line of defense is the internal audit function, which is responsible for providing independent and objective assurance on the adequacy and effectiveness of the risk management and control system, and recommending improvements.
Within the three lines of defense model, the accountability for the system of internal control resides with the chief information officer (CIO). The CIO is the senior executive who oversees the IT function of the organization, and is responsible for ensuring that the IT risks and controls are aligned with the business objectives and strategies, and are integrated with the enterprise risk management and governance processes.
The references for this answer are:
Risk IT Framework, page 20
Information Technology & Security, page 14
Risk Scenarios Starter Pack, page 12
