IT Baseline Protection Manual S 3.3 Arrangements for substitution
S 3.3 Arrangements for substitution
Initiation responsibility: Head of Organisational Section; IT Security Management
Implementation responsibility: Superiors
Substitution arrangements are designed to ensure continuity of operation in case of absence or loss of personnel, both foreseeable (vacation, business/official trip) and unforeseeable (illness, accident, notice of termination of employment). Therefore, before such a situation arises, provisions will have to be laid down on who will substitute for whom in what fields of activity and with which authorities. This is of particular importance as regards information processing which usually requires special knowledge precluding that persons unfamiliar with the subject matter could be given training in good time to act as substitutes.
For substitution, the following general conditions must be met:
For assumption of tasks by substitutes, sufficient documentation must be provided on the current status of the relevant procedures and on the respective project.
As a rule, designation of a substitute will not suffice; consideration must be given to the training required by substitutes so that they will be qualified to assume the specific tasks. If it comes to light that there are persons who, on account of their specialist knowledge, cannot be replaced at short notice, their unavailability constitutes a serious threat to normal operations. In such cases, training of a substitute is of crucial importance.
It must be laid down what range of tasks will have to be assumed by which substitute(s).
Designated substitutes may be granted the necessary entry and access rights only when they actually have to act as deputies.
If, in exceptional cases, it is not possible to designate or train a competent substitute, early thought should be given to which external staff might be called in to act as substitutes.
Additional controls:
What provisions are made by the various organisational units as regards substitution?
Are substitutes available who are sufficiently competent?
Has the unforeseen need arisen recently to provide substitutes?
Within the organisational unit, is there a single source of knowledge, i.e. one person who, by himself/herself, has all the expertise required for IT uses?