3.0 IT Security Management

Description

As the requirement for information technology grows, the complexity of people's requirements has grown continuously. Increasingly, implementation and maintenance of a reasonable level of IT security is requiring planned and organised action on the part of all those involved. The efficient implementation of IT security measures and review of their efficacy therefore necessitates a well thought out, controlled IT security process. This planning and control task is referred to as IT security management. It is imperative that functional IT security management is established at the start of the IT security process.

However, functional IT security management must be integrated into the existing management structures of a given organisation. It is therefore virtually impossible to specify a single IT security management structure will be directly usable within every organisation. Instead, modifications to organisation-specific circumstances will frequently be necessary.

This chapter is intended to present a systematic approach to establishing functional IT security management and improving it over time in line with developments in business operations. The approach presented is therefore intended to be viewed as a framework which can be modified in line with specific characteristics of a given organisation.

Note: In some other sections of this manual the term IT security management is also used to refer to the IT Security Management Team, i.e. to that group of persons which is responsible for the IT security process within an organisation.

Threat Scenario

Threats in the environment of IT security management can be of a varied nature. The threat listed below is covered in this chapter and may be viewed as typical:

Organisational Shortcomings:

• T 2.66 Lack of or inadequate IT Security Management

Recommended Countermeasures

Safeguard S 2.191 Establishment of the IT security process should be worked through at the outset in every case. This safeguard describes a procedure for initiating and implementing a complete IT security process. The steps and activities which are necessary for this are described, and these in turn are covered in detail in the safeguards which follow.

The safeguards package for the area "IT security management" is summarised below.

Organisation:

• S 2.191 (1) Establishment of the IT security process
• S 2.192 (1) Drawing up an Information Security Policy
• S 2.193 (1) Establishment of a suitable organisational structure for IT security
• S 2.194 (1) Drawing up a schedule of existing IT systems
• S 2.195 (1) Drawing up an IT security concept
• S 2.196 (1) Implementation of the IT security concept in accordance with an implementation plan
• S 2.197 (2) Drawing up a training concept for IT security
• S 2.198 (2) Making staff aware of IT security issues
• S 2.199 (1) Maintenance of IT security
• S 2.200 (1) Preparation of management reports on IT security
• S 2.201 (2) Documentation of the IT security process
• S 2.202 (2) Preparation of an IT Security Organisational Manual (optional)
• S 2.203 (3) Establishment of a pool of information on IT security (optional)