IT Baseline Protection Manual - The Information Warfare Site
19.12.2012 Views
Share Embed Flag

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
iwar.org.uk

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Safeguard Catalogue - Organisation Remarks<br />

____________________________________________________________________ .........................................<br />

S 2.5 Division of responsibilities and separation of<br />

functions<br />

Initiation responsibility: Agency/company management<br />

Implementation responsibility: Head of <strong>IT</strong> Section; Head of Organisational<br />

Section; <strong>IT</strong> Security Management<br />

<strong>The</strong> functions to be performed by the agency/company as regards <strong>IT</strong> uses must<br />

be laid down. Here, a distinction must be made between two levels:<br />

- <strong>The</strong> first level comprises those functions which provide for, or support, <strong>IT</strong><br />

system uses for data processing purposes, such as work preparation, data<br />

post-processing, operating, programming, network administration,<br />

administration of permissions, auditing.<br />

- <strong>The</strong> second level comprises those functions which apply to the <strong>IT</strong><br />

procedures available for task performance. Examples of such functions are:<br />

person responsible for specialised tasks, <strong>IT</strong> application supervisor, data<br />

acquisition operator, desk officer, payment in-charge.<br />

<strong>The</strong> next step is to lay down and justify separation of functions, i.e. functions<br />

which are not compatible with each other and thus must not be performed by<br />

one person at the same time. <strong>The</strong> relevant requirements may be implied by the<br />

tasks themselves or by legal provisions. Examples include:<br />

- administration of permissions and auditing;<br />

- network administration and auditing.<br />

- programming and test of self-developed software;<br />

- data acquisition and authority to sign orders to pay;<br />

- auditing and authority to sign orders to pay;<br />

This shows, in particular, that in most cases operational functions are not<br />

compatible with controlling functions.<br />

After the separation of functions to be observed has been laid down, the<br />

functions can be assigned to persons.<br />

<strong>The</strong> provisions laid down in this context must be documented and up-dated in<br />

case of changes being made to <strong>IT</strong> uses. If such assignment do result in<br />

incompatible functions having to be performed by one person, this fact must<br />

be explicitly mentioned in the relevant documentation on the separation of<br />

functions.<br />

Additional controls:<br />

- Has an exhaustive list of the relevant functions been established?<br />

- Is completeness of the defined separation of functions ensured?<br />

- Is separation of functions being maintained in staffing terms?<br />

- Is the allocation of persons/functions updated?<br />

____________________________________________________________________ .........................................<br />

<strong>IT</strong>-<strong>Baseline</strong> <strong>Protection</strong> <strong>Manual</strong>: Oktober 2000

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!