IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.191 Establishment of the IT security process
Initiation responsibility: Agency/company management
Implementation responsibility: Agency/company management
The enforcement and maintenance of a reasonable and adequate level of IT
security for a complex set of IT assets requires planned and organised action
on the part of all those involved. Strategic key statements must be prepared,
design requirements worked out and the organisational framework established
to enable the company or agency to function with proper and secure IT
support. A controlled IT security process which will lay the groundwork for
the thoughtful design and efficient implementation and success monitoring of
IT security measures is initiated by Management.
As the highest echelons of Management are not only responsible generally for
the systematic and proper functioning of an organisation but also for
guaranteeing IT security, the IT security process must be initiated, directed
and monitored from that level. Ideally, the following specific conditions
should be satisfied:
- The initiative for IT security should originate from Management.
- Responsibility for IT security should reside there.
- The "IT security" function should be actively supported by Management.
If this framework does not exist in a given situation, as a first step an attempt
should be made to implement the missing IT security measures at "shopfloor"
level. In all cases, however, every attempt should be made to make
Management aware of the importance of IT security to ensure that it takes its
responsibility in this area seriously. Although many aspects of the IT security
process can be initiated on the shopfloor and will result in an improvement in
the security situation; there is no guarantee that such actions will lead to a
permanent raising of the IT security level.
The establishment of a functional IT security process can be achieved through
the following steps:
Step 1: Drawing up of an Information Security Policy
A set of IT security objectives that are derived from the overriding business
objectives, marketing strategy and the general security objectives of the
company or agency should be defined. The greater the dependence of the
organisation on the use of IT and the operational capability provided through
IT, the more important it is to consider the IT security objectives at all levels
of the organisation.
The Information Security Policy should be based on the IT security objectives
agreed at Management level. It should define the internal organisational
structures, guidelines, rules and procedures which are necessary to achieve the
IT security goals. Depending on the size of the organisation, it may be
appropriate in addition to the enterprise-wide Information Security Policy to
prepare one (or more) sets of departmental or site-specific information
security policy documents derived therefrom.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Optimal framework
Alternatives