IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.193 Establishment of a suitable organisational
structure for IT security
Initiation responsibility: Agency/company management
Implementation responsibility: Agency/company management; IT Security
Management Team
IT security is of particular importance to all IT projects, all IT systems and all
IT users in an organisation. The aspired-to level of IT security can only be
achieved if the IT security policy is implemented throughout the
agency/company. This organisation-wide character of the IT security process
makes it necessary to specify particular roles within the agency/company.
Appropriate tasks must be assigned to each role, and these roles must be
served by staff with the appropriate skills. This is the only way to ensure that
all important aspects are taken into consideration and that all tasks are carried
out efficiently and effectively.
IT security management depends on the size, nature and structure of the
organisation concerned. The following central roles should be defined in every
case:
- the IT Security Officer, who builds up his own specialist expertise in IT
security and is responsible for all IT security issues in the organisation; and
- the IT Security Management Team, which in larger organisations
regulates all organisation-wide matters of IT security and develops plans,
procedures and guidelines.
To guarantee direct access to Management, these should both be organised as
special staff functions.
Basic rule:
The most important considerations in the definition of roles in IT security
management are:
- overall responsibility for the proper and reliable fulfilment of tasks (and
thus IT security) rests with Management
- responsibility for IT security at the various workstations should be
delegated in precisely the same manner as responsibility for the original
task.
Organisational structure of IT security management
Depending on the size of the organisation, there are three possible ways of
structuring IT security management. These are illustrated in the diagrams
below. The first diagram shows the organisational structure for IT security
management in a large organisation. The second diagram shows the
organisational structure in a medium-sized organisation in which the roles of
the IT Security Management Team and IT Security Officer are merged. The
third diagram presents an organisational structure for IT security management
in a small organisation, where all the tasks are performed by the IT Security
Officer.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Roles and tasks
Central roles
Tailored to the size of
the organisation