S 2.193 Establishment of a suitable organisational structure for information security

Initiation responsibility: Top Management

Implementation responsibility: IT Security Officer, Top Management

Planning and establishing the information security organisation

In order to successfully plan, implement, and maintain a security process, a suitable organisational structure for information security must be in place. Roles must be defined to perform the various tasks required to achieve the security objectives. In addition, qualified people must be appointed to fill out these roles, and these people must be provided sufficient resources.

At the beginning of the security process it may become apparent that people have already been appointed responsible for various aspects of information security in the organisation, but that there are no organisation-wide structures for information security. In this case, a suitable organisational structure for information security must be established that covers the entire organisation.

If an IS organisation has already been established, then consideration should be given regularly to whether or not it is still adequate or needs to be adapted to new general conditions.

The role of the IT Security Officer

The type and characteristics of the information security organisation depend on the size, nature, and structure of the particular organisation. The IT Security Officer position must be created in every organisation since this person is responsible for all aspects of information security. The tasks of the IT Security Officer include the following, among others:

• controlling and co-ordinating the information security process
• providing management with support when creating the policy for information security
• co-ordinating the creation of the security concept, the contingency planning concept, and other sub-concepts and system security policies as well as issuing additional policies and rules for information security
• creating, initiating, and monitoring the implementation plan for security safeguards
• informing management and the IS Management Team of the current status of information security
• co-ordinating security-related projects and ensuring the flow of information between the departmental IT Security Officers, Project Security Officers, and IT System Security Officers
• investigating security-related incidents
• initiating and controlling awareness-raising and training measures for information security

The IT Security Officer must be involved in all large projects that have a significant impact on information processing as well as when introducing new applications and IT systems in order to ensure that security-related aspects are adequately taken into account. Such projects include, for example, the purchasing of IT systems and designing of IT-based business processes.

To ensure direct access to top management, it is recommended to create a staff position for this role.

In small organisations, the role of the IT Security Officer can also be fulfilled by a qualified employee on top of this person's other tasks. It is essential to allow the IT Security Officer enough time to perform his or her tasks. Adequate scheduling resources must be planned for this role, and especially when setting up the security process for the first time. A qualified substitute for the IT Security Officer should also be appointed when planning the information security organisation.

Selection of the IT Security Officer

The IT Security Officer should have knowledge and experience in the fields of information security and information technology. Furthermore, the IT Security Officer should possess the following qualifications and personal traits:

• an overview of the tasks and goals of the organisation
• identification with the objectives of information security
• the ability to co-operate and work in a team (few other tasks require such skills and abilities in dealing with other people)
• the ability to work independently
• assertiveness
• experience in project management

An IT Security Officer cannot ensure adequate security in all areas of an organisation alone. For this reason, it is important for this person to have communication skills and the ability to make presentations. Management must be integrated again and again into a number of the main phases of the security process, and they will also be required to make decisions. Working with the employees and external personnel requires a high degree of skill since these people must be convinced of the necessity of the security measures, which some may perceive as a burden. An equally sensitive area is when questioning employees after critical security incidents or about weaknesses critical to security. In order to obtain useful answers to these questions, the employees must be convinced that honest answers will not be used against them.

Structure of an information security management team

In large organisations, it makes sense to set up an IS management team to support the IT Security Officer and to control all issues relating to information security in the organisation as a whole and to develop plans, specifications, and policies.

The size and composition of the IS management team must be defined based on the scope of the security process and the resources and expertise needed for the security process. BSI Standard 100-2 IT-Grundschutz Methodology provides a variety of examples of possible organisational structures for information security management.

Selection of the IS management team

To take the various perspectives on information security in an organisation into account, the following people and representatives should work together in the IS management team:

• IT Security Officer
• person responsible for IT
• representative of the users
• Data Protection Officer

If necessary, a representative from auditing, the legal department, and the personnel representative of the organisation could be included in this team.

Appointing a manager to be responsible

At management level, the information security role should be clearly assigned to one manager to whom the IT Security Officer then reports directly. A managing director could also assume this role in small organisations.

Monitoring the information security organisation

The IS organisation, once it has been established, is not a static organisation. Business processes and the surrounding conditions change constantly, which means the IS organisation will need to be reconsidered again and again. When reviewing the IS organisation, it should be examined if the tasks and authorities in the security process are defined clearly enough, for example, but also if the tasks defined can be carried out as planned. The following points are particularly important in this regard:

• Monitoring responsibilities in ongoing operations
  
  It must be examined regularly if all responsibilities and authorities have been clearly assigned and if they are practical.
• Checking if the requirements are being complied with
  
  Regular checks must be conducted to ensure that all processes and procedures in the IS organisation are used and executed as intended. At the same time, it should be ensured that the organisational structures established for information security actually meet the requirements.
• Evaluating the efficiency of processes and organisational rules
  
  It must be examined regularly if the processes and organisational rules in security management are practical and efficient.
  
  As soon as processes or regulations implemented for security reasons become too complicated or time-consuming, they are frequently ignored or deliberately bypassed in spite of the risk of security incidents.
• Management evaluations
  
  Management is to be informed regularly of the results of the checks and examinations mentioned above. The reports are not only needed to solve urgent or time-critical problems, but also contain important information needed by management to control the security process.

Adapting and improving the information security organisation

The IS organisation must be optimised regularly in terms of its efficiency and effectiveness. If weaknesses have been detected in the processes or regulations for the IS organisation, then these weaknesses must be eliminated.

Documentation

The tasks, responsibilities, and authorities in the security management must be documented in an understandable manner. This also includes the most important work instructions and organisational rules.

Review questions:

• Has an IT Security Officer been appointed?
• Is the IT Security Officer qualified enough??
• Is the IT Security Officer (and the IS organisation) provided with adequate resources?
• In large organisations: Is the IT Security Officer supported by an information security management team?
• Are the tasks and authorities in the security process clearly defined?