IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.200 Preparation of management reports on IT
security
Initiation responsibility: IT Security Management Team
Implementation responsibility: IT Security Management Team
The tasks of the IT Security Management Team include supporting
Management in the execution of its overall responsibility for IT security. A
major tool for use here is a report on the current IT security situation. The aim
of such a paper should be to provide Management with the information it
needs to make the decisions it has to make.
A basic distinction should be made here between two different forms of
management report.
1. Regular management reports
The effect of submitting "IT security" management reports as regularly as
possible is to ensure that this subject is kept fresh in the minds of
Management. In this way, management reports serve to some extent as a tool
for raising the IT security awareness of those in positions of overall
responsibility. For this reason, such a report should be prepared at least once a
year.
The "IT Security" management report should cover the following areas:
- the extent to which the requirements specified in the organisation’s IT
security concept have already been addressed;
- areas in which security weaknesses, and hence residual risks, remain;
- the extent to which the IT security level matches the organisation’s security
requirements and its exposure to threats;
- whether the activities performed in pursuit of IT security have been a
success;
- whether the IT security measures have proved a suitable means of
achieving the IT security objectives.
The report should also consider any further developments expected in
organisation-wide IT security.
2. Event-triggered management reports
As well as regular management reports on IT security, it may also be
necessary to prepare event-triggered management reports if IT security
problems occur unexpectedly or because of risks associated with new
technical developments. These are needed above all when it turns out that
these problems cannot be resolved "at shopfloor level" because, for example,
extra material resources are needed over and above those approved or
extensive staff-related rules need to be modified or drawn up. IT security
incidents such as global computer virus attacks (e.g. Melissa or Loveletter emails)
are constantly hitting the mass media headlines. It has proved
appropriate to also prepare management reports in these instances in order to
show the extent to which this organisation has been affected by these security
incidents.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000