previous  next  Title  Contents  Index         Previous     Next      Top   Detailed TOC  

3 Security organisation

3.1 Overview

Securing information requires:

  1. Definition of security policies/strategies.
  2. Implementing Policies: Roles, Responsibility and organisation (this chapter):
    1. The IT security organisation needs a clear statement of mission and strategy.- Definition of security roles & processes.
    2. Users, administrators and managers should have clearly defined roles/responsibilities and aware of them.
    3. User / support staff may require training to be able to assume the responsibilities assigned to them.
  3. Effective use of mechanisms and controls to enforce security (see the "Mechanisms" chapter).
  4. Concrete Technical Guidelines and controls for specific systems (see Part III).
  5. Assurance (regular audits, reconsider risks regularly)

3.2 Organisational structure

Actual Organisational structure is not discussed here, since every company is different. Rather, roles are described. These roles can be attributed to different persons in an organisation depending on it's structure, size, culture etc..

3.3 Roles and Responsibility

Depending on company size, responsibility may be attributed to the following roles. What is important is that responsibility is clear and that the responsible persons can actually assume their responsibilities (i.e. the have powers necessary to take corresponding decisions an the experience/knowledge to take the right decisions).

Executives: The managing director, CEO or equivalent is ultimately responsible for security strategy and must make the necessary resources available to combat business threats. This person is also responsible for disseminating strategy and establishing a security-aware culture.

IT Security manager: is responsible for Enterprise security. The IT security manager(s) defines IT security guidelines together with the process owner. He/she is also responsible for security awareness and advising management correctly on security issues. He/she may also carry out risk analyses. It is important that this person be up-to-date on the latest security problems/risks/solutions. Co-ordination with partner companies, security organisations is also important.

Business process / data / operation owner: is directly responsible for a particular process or business unit's data and reports directly to top management. He analyses the impact of security failures and specifies classification and guidelines/processes to ensure the security of the data for which he is responsible. He should not have any influence on auditing.
System supplier: Installs and maintains systems. A service level agreement should exist defining the customer/supplier roles and responsibilities. The supplier may be, for example, an external contracting company or the internal datacentre or System/Security administrator. He is responsible for the correct use of security mechanisms. Often this person is root (UNIX) or dba (databases).

System designer: The persons who develop a system have a key role in ensuring that a system can be used securely. New development projects must consider security requirements at an early stage.

Project Leaders: ensure that Security guidelines are adhered to in projects.

Line Managers: ensures that his personnel are fully aware of security policies and does not provide objectives which conflict with policy. He/she enforces policy and checks actual progress.

Users: Users, or "information processors/operators" are responsible for their actions. They are aware of company security policy, understand what the consequences of their actions are and act accordingly. They have effective mechanisms at their disposal so that they can operate with the desired level of security. Should users receive confidential information that is not classified, they are responsible for classifying and distribution of this information.

Auditor: is an independent person, within or outside the company, who checks the status of IT security, much in the same way as a Financial Auditor verifies the validity of accounting records. It is important that the Auditor be independent, not being involved in security administration. Often external consultants fulfil this role, since they can offer a more objective view of policies, processes, organisations and mechanisms.

3.4 Processes

The security policy needs processes and people (organisation) to ensure it's implementation and accordance with business needs. Typical security processes are:

3.4.1 Security Hotline/ Helpdesk

3.4.2 Change Management

3.4.3 Systems monitoring

Who monitors what systems, where, with what utilities? Monitoring is often more effective if decentralised in very large organisations.

3.4.4 Data Backup & Restore

Processes & responsibility need to be defined to ensure reliable backups and restores when needed. The restore policy should be regularly tested.

3.4.5 System audits

3.4.6 Crisis Management / "Firecall" / Emergency Response Team / Disaster Planning

Even with a solid security policy, educated users and solid system administration, an emergency response team is useful. Plan for a disaster!

3.5 Security Marketing

Communications Manager: responsible for spreading security awareness in the company.

3.6 Security Information Centre

Having the right information at the right time is important.

The following services could be offered to internal departments:

previous  next  Title  Contents  Index          Previous     Next      Top   Detailed TOC