IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection of Generic Components IT-Security Management
_________________________________________________________________________________________
3.0 IT Security Management
Description
As the requirement for information technology grows, the
complexity of people’s requirements has grown continuously.
Increasingly, implementation and maintenance of a
reasonable level of IT security is requiring planned and
organised action on the part of all those involved. The
efficient implementation of IT security measures and review
of their efficacy therefore necessitates a well thought out,
controlled IT security process. This planning and control task is referred to as IT security management.
It is imperative that functional IT security management is established at the start of the IT security
process.
However, functional IT security management must be integrated into the existing management
structures of a given organisation. It is therefore virtually impossible to specify a single IT security
management structure will be directly usable within every organisation. Instead, modifications to
organisation-specific circumstances will frequently be necessary.
This chapter is intended to present a systematic approach to establishing functional IT security
management and improving it over time in line with developments in business operations. The
approach presented is therefore intended to be viewed as a framework which can be modified in line
with specific characteristics of a given organisation.
Note: In some other sections of this manual the term IT security management is also used to refer to
the IT Security Management Team, i.e. to that group of persons which is responsible for the IT
security process within an organisation.
Threat Scenario
Threats in the environment of IT security management can be of a varied nature. The threat listed
below is covered in this chapter and may be viewed as typical:
Organisational Shortcomings:
- T 1.1 Lack of or inadequate IT Security Management
Recommended Countermeasures
Safeguard S 2.191 Establishment of the IT security process should be worked through at the outset in
every case. This safeguard describes a procedure for initiating and implementing a complete IT
security process. The steps and activities which are necessary for this are described, and these in turn
are covered in detail in the safeguards which follow.
The safeguards package for the area "IT security management" is summarised below.
_________________________________________________________________________________________
IT-Baseline Protection Manual: Otober 2000
IT Security
- Competence
- Responsibility
- Costs
- Control
-