S 2.1 Specification of responsibilities and provisions

Initiation responsibility: Top Management

Implementation responsibility: Head of Organisation, Head of IT

The responsibilities for all essential tasks and business processes in an organisation must be clearly defined. The tasks should be divided in such a way that there is no overlapping between similar tasks while ensuring that there are no tasks for which no one has been assigned responsible. It goes without saying that this applies to all areas, but it is essential for all security-relevant tasks.

The security-relevant tasks of all internal and external employees and service providers must be clearly defined. They also need to be coordinated with the security objectives of the organisation. Provisions need to be specified for the following areas, for example:

• explicit assignment of the responsibilities and authorisations for all security-relevant tasks to roles and/or organisational units (it must be ensured in this case that every role has someone assigned to it),
• proper handling of business-critical information so that the confidentiality, integrity, and availability of this information is adequately protected,
• non-disclosure agreements,
• involvement of the security officers in the context of orders and projects affecting business-critical information,
• training measures on the proper handling of business-critical information, for example when contacting customers or when on business trips,
• specification of codes of conduct and duties to inform when performing security-relevant operations or when security incidents arise;
• classification of information according to its protection requirement.

The regulations for information security should be combined with those for data privacy and classified information in a suitable manner so that it is easier for the employees to accept the regulations and to help raise their awareness. It is also important to ensure that there are no regulations that contradict each other.

It is also necessary to specify binding regulations relating to information security, which can be considered as one aspect of information processing, that apply to the entire organisation.

It is recommended to specify provisions regarding the following areas:

• data backup,
• data archiving,
• transport of data media,
• data transmission,
• destruction of data media,
• documentation of IT procedures, software, and IT configurations,
• site access, system access, and data access authorisations,
• maintenance and repair work,
• data privacy,
• protection against malware,
• revision,
• contingency planning, and
• procedure to follow when security policies are violated,

amongst other things. Information on these topics can be found in the descriptions of the safeguards in the corresponding IT-Grundschutz modules.

The employees affected by the provisions enacted must be informed in a suitable manner (see S 3.2 Commitment of staff members to compliance with relevant laws, regulations and provisions). It is recommended to document the fact that they have been informed. Furthermore, the current versions of all provisions must be available at a central location and made accessible to any authorised employees who are interested.

The provisions implemented must be updated regularly to clear up any misunderstandings, avoid having areas for which no one is responsible, and avoid or eliminate contradictory provisions. For this reason, all provisions should contain a creation date or a version number.

Review questions:

• Are the responsibilities and authorisations for all security-relevant tasks clearly defined?
• Are the provisions revised regularly and kept up-to-date?
• Were all employees informed of the provisions?