S 1.0 Security management
Description
The secure processing of information has become essential to the survival of virtually all companies and government agencies. This information might be stored on paper, on computers, or inside people's heads. It is not enough to use technical security solutions alone to protect the information. An adequate security level can only be achieved and maintained through planned and organised action by all those involved. A systematic approach is a prerequisite for the sensible implementation of security safeguards and for checking if they are successful. This planning, controlling, and reviewing role is referred to as information security management or just IS Management for short.
The term "information security" is more comprehensive than the term "IT-security", and the former term is being used more and more often. However, since the term "IT security" is still overwhelmingly used in the literature, it will still be used in this and other publications relating to IT-Grundschutz, although the documents will place more and more emphasis on considering information security over time.
A properly functioning security management process must be embedded into the existing management structures of every organisation. For this reason, it is practically impossible to specify an organisational structure for security management that is directly applicable to every organisation. Instead, it is often necessary to adapt it to the specific conditions in the organisation.
This module is intended to illustrate how a functioning information security management process can be established and developed further during actual operations. To accomplish this, the module describes the most useful steps of a systematic security process and provides instructions for creating a comprehensive security concept. The module is based on BSI Standard 100-1 "Management systems for information security" and BSI Standard 100-2 "IT-Grundschutz Methodology" and summarises the most important aspects of security management found in these standards.
Threat scenario
The threats posed in the area of security management can be very diverse. The following typical threats are examined as examples of the numerous threats posed:
Organisational Shortcomings
| T 2.66 | Inadequate security management |
| T 2.105 | Violation of statutory regulations and contractual agreements |
| T 2.106 | Disturbance to business processes as a result of security incidents |
| T 2.107 | Uneconomic use of resources as a result of an inadequate security management |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A series of security safeguards must be implemented in the framework of security management, starting in the conception phase and the design of organisational structures to the regular auditing phase. The steps to take to accomplish this as well as the safeguards to consider in each of the steps are listed in the following. One cornerstone in reaching an adequate level of security is that the management level stands behind the security goals and is aware of their responsibility for information security. Management must initiate, control, and monitor the security process so that it is implemented in all areas of the organisation (see S 2.336 Acceptance of overall responsibility for information security at the management level).
Furthermore, a continuous security process must be established, and an appropriate security strategy must be specified for the particular organisation (see S 2.335 Defining the security objectives and strategy). The management must appoint one person to be responsible for all further questions relating to security. This person is responsible for establishing and maintaining a suitable organisational structure for information security (see S 2.193 Establishment of a suitable organisational structure for information security). One of the first steps is to create an information security policy (see S 2.192 Drawing up a policy for information security).
Information security must be actively supported in all areas of the organisation (S 2.337 Integrating information security into organisation-wide procedures and processes). This includes the creation of a security concept (see S 2.195 Drawing up a security concept) as well as the integration of the employees into the security process (see S 2.197 Integration of the employees in the security process) and the creation of security policies for specific target groups (see S 2.338 Creating target group oriented security policies).
The bundle of safeguards for security management is presented in the following.
Planning and design
| S 2.192 | (A) | Drawing up a policy for information security |
| S 2.335 | (A) | Defining the security objectives and strategy |
| S 2.336 | (A) | Acceptance of overall responsibility for information security at the management level |
Implementation
| S 2.193 | (A) | Establishment of a suitable organisational structure for information security |
| S 2.195 | (A) | Creating a security concept |
| S 2.197 | (A) | Drawing up a training concept for IT security |
| S 2.337 | (A) | Integrating information security into organisation-wide procedures and processes |
| S 2.338 | (Z) | Creating target group oriented security policies |
| S 2.339 | (Z) | Cost-effective use of resources for information security |
| S 2.475 | (A) | Contractual arrangements when appointing an external IT security officer |
Operation
| S 2.199 | (A) | Maintaining information security |
| S 2.200 | (C) | Management reports on information security |
| S 2.201 | (C) | Documentation of the security process |
Contingency Planning
| S 6.16 | (Z) | Taking out insurance |