Previous Next Top Detailed TOC
Securing information requires:
Actual Organisational structure is not discussed here, since every company is different. Rather, roles are described. These roles can be attributed to different persons in an organisation depending on it's structure, size, culture etc..
Depending on company size, responsibility may be attributed to the following roles. What is important is that responsibility is clear and that the responsible persons can actually assume their responsibilities (i.e. the have powers necessary to take corresponding decisions an the experience/knowledge to take the right decisions).
Executives: The managing director, CEO or equivalent is ultimately responsible for security strategy and must make the necessary resources available to combat business threats. This person is also responsible for disseminating strategy and establishing a security-aware culture.
IT Security manager: is responsible for Enterprise security. The IT security manager(s) defines IT security guidelines together with the process owner. He/she is also responsible for security awareness and advising management correctly on security issues. He/she may also carry out risk analyses. It is important that this person be up-to-date on the latest security problems/risks/solutions. Co-ordination with partner companies, security organisations is also important.
Business process / data / operation owner: is directly responsible for a
particular process or business unit's data and reports directly to top management. He
analyses the impact of security failures and specifies classification and
guidelines/processes to ensure the security of the data for which he is responsible. He
should not have any influence on auditing.
System supplier: Installs and maintains systems. A service level agreement should exist
defining the customer/supplier roles and responsibilities. The supplier may be, for
example, an external contracting company or the internal datacentre or System/Security
administrator. He is responsible for the correct use of security mechanisms. Often this
person is root (UNIX) or dba (databases).
System designer: The persons who develop a system have a key role in ensuring that a system can be used securely. New development projects must consider security requirements at an early stage.
Project Leaders: ensure that Security guidelines are adhered to in projects.
Line Managers: ensures that his personnel are fully aware of security policies and does not provide objectives which conflict with policy. He/she enforces policy and checks actual progress.
Users: Users, or "information processors/operators" are responsible for their actions. They are aware of company security policy, understand what the consequences of their actions are and act accordingly. They have effective mechanisms at their disposal so that they can operate with the desired level of security. Should users receive confidential information that is not classified, they are responsible for classifying and distribution of this information.
Auditor: is an independent person, within or outside the company, who checks the status of IT security, much in the same way as a Financial Auditor verifies the validity of accounting records. It is important that the Auditor be independent, not being involved in security administration. Often external consultants fulfil this role, since they can offer a more objective view of policies, processes, organisations and mechanisms.
The security policy needs processes and people (organisation) to ensure it's implementation and accordance with business needs. Typical security processes are:
Who monitors what systems, where, with what utilities? Monitoring is often more effective if decentralised in very large organisations.
Processes & responsibility need to be defined to ensure reliable backups and restores when needed. The restore policy should be regularly tested.
Even with a solid security policy, educated users and solid system administration, an emergency response team is useful. Plan for a disaster!
Communications Manager: responsible for spreading security awareness in the company.
Having the right information at the right time is important.
The following services could be offered to internal departments: