IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
satisfied through adherence to the technical organisational framework
conditions.
The results of such considerations should be specified in the Information
Security Policy.
4. Content of the Information Security Policy
The Information Security Policy should contain the following information
as a minimum:
- importance of IT security and IT to the accomplishment of work,
- security objectives and the security strategy for the IT used.
- assurance that the impetus for implementation of the Information
Security Policy comes from Management,
- description of the organisational structure established for
implementation of the IT security process (see S 2.193
Establishment of a suitable organisational structure for IT security).
It may also include statements on the following:
- classification of information, access control, control of access to
information and security of information processing systems;
- assignment of responsibilities in the IT security process, notably to
the IT Security Management Team, the IT Security Officer, the IT
users and IT administrators;
- account of how the Information Security Policy is enforced,
including procedures for dealing with security breaches and the
disciplinary consequences of such breaches;
- overview of documentation of the IT security process;
- statements regarding periodic reviews of the IT security measures;
- statements regarding programmes to promote IT security through
training courses and measures intended to raise awareness of
security issues.
The Information Security Policy should be written in a concise style. It
should be examined at regular intervals to ensure that it is still up-to-date,
and be amended as necessary. It may be appropriate to document these
cycles in the policy document.
5. Distribution of the Information Security Policy
It is important that Management presses home its objectives and
expectations by having the Information Security Policy distributed, and
that it stresses the value and importance of IT security in the organisation
as a whole.
As Management has ultimate responsibility for the Information Security
Policy, the policy should be set down in writing. The document must have
been formally approved by Management.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Updating