S 2.200 Management reports on information security

Initiation responsibility: IT Security Officer

Implementation responsibility: Top Management, IT Security Officer

One of the tasks of the IT Security Officer is to help top management become aware of their overall responsibility for information security. An important basis for making the decisions required is clearly prepared and succinct information on the current information security situation in the organisation.

To control and maintain the security process, it is necessary to check its effectiveness and efficiency regularly and have the results of this check evaluated by management. The goal in this case is to co-ordinate the subsequent tasks to be performed in the security process. For this reason, it is necessary to point out all changes to the security process, for example changes to the security objectives or to the security policies. The results must be documented and integrated into the documentation previously recorded.

Regular management reports

In order for the management to be able to make the right decisions on controlling and managing the information security process, they need basic information relating to the information security status. This data should be prepared in management reports that provide this data and cover the following points, among others:

• results of audits and data protection checks
• reports on security incidents
• reports on previous successes and problems in the information security process

Management must be informed regularly in an appropriate form by the IS management team of the results of the checks and the status of the IS process. This includes pointing out problems, successes, and potential improvements.

A management report should be clear and concise. The following points can be relevant depending on the current situation. However, not all of these points should be examined in a single management report on information security since this will make the report appear overloaded. It is therefore necessary to consider pointing out the following:

• the extent to which the requirements of the security concept have already been fulfilled in the company or government agency,
• where gaps still exist, and therefore which residual risks exist,
• the security incidents that have occurred, the damage created by these incidents, and the damage that was prevented,
• the results of internal examinations, checks, and audits (see S 2.199 Maintaining information security),
• the extent to which the security level reached meets the security requirements and the threat scenarios applying to the organisation,
• if any general conditions have changed that require additional measures to be taken,
• if the activities in the framework of information security were successful,

• if the security safeguards have proven themselves suitable for reaching the security objectives or if the safeguards need to be changed or extended,
• the feedback received from customers, business partners, employees, or the general public relating to aspects of security,
• the resources used for information security,

• if and how the previous management decisions were implemented and if the activities in the framework of information security were successful.

In addition, an outlook of the further development of the organisation-wide information security process should be provided in addition to an outlook of the technical developments and procedures that could eventually contribute to the improvement of the security process.

Event-based management reports

In addition to the regular management reports, it may be necessary to create event-based management reports due to the sudden occurrence of unexpected security problems or new risks resulting from new developments. This is the case particularly when these problems cannot be solved at the working level because material resources are needed that are beyond the scope of those currently approved or supplemental personnel rules are need, for example.

Reports of security incidents such as global computer virus attacks are always in the focus of the mass media. It has proven useful to comment on such incidents in other organisations in the management reports as well and point out the extent to which your own organisation is prepared for such security incidents. An event-based management report can also be useful when the security situation changes (for example due to new threats, new technologies, or new laws).

When writing the management report, it should be taken into account that the group of readers is normally not made up of technical experts. Correspondingly, the text should be characterised by the highest possible conciseness and understandability by emphasising the most important points specifically (such as the vulnerabilities found), but also the successes achieved.

At the end of every management report, and especially in all event-based reports, there should always be clearly prioritised suggested measures together with a realistic estimate of the amount of time and expense required to implement them. This ensures that the management will be able to make a decision promptly without causing any unnecessary delays.

The management report on information security should be presented to management personally by a member of the IS management team. This makes it possible to emphasise the most important points, for example existing or potential security shortcomings. The member of the IS management team should also available directly to answer questions and provide further explanations, which experience has shown to accelerate the decision-making process.

Furthermore, personal contact is also important so that management is better prepared to make decisions and to be able to resolve problems in advance. It would also be helpful if a member of management with the corresponding technical background and interests is available as a contact. Personal contact makes it possible to establish a "short official channel", the existence of which can prove to be an advantage in emergencies.

Management decisions

Based on the management reports, the management decides on how to further proceed in the security process. When necessary, the IT Security Officer can help the top management make such decisions. All decisions must be documented. This includes documenting the following points in particular:

• actions taken to improve the effectiveness of the security concept together with the resources needed for this purpose
• the level of protection required as well as how to handle the residual risks identified in a supplementary security analysis conducted after a risk analysis
• changes to security-related processes to counteract internal or external events that could have an influence on the security concept, for example in terms of changes to the following:
  • business objectives
  • security requirements
  • business processes
  • basic external conditions (such as legal frameworks or contractual obligations).

All management reports and management decisions relating to information security should be archived in an orderly manner to enable continuous monitoring of the security process. This documentation should be available quickly when it is needed by the people responsible (see S 2.201 Documentation of the security process).

Since the management reports on information security generally contain sensitive information on the security gaps and residual risks existing in the organisation, their confidentiality must be protected. Adequate precautions must be taken to ensure no unauthorised persons can obtain knowledge of the contents of the management reports.

Review questions:

• Do the management reports contain the most important information relevant to the security process?
• Are the management decisions relating to the required action, handling of residual risks, and changes to security-related processes documented?
• Are the management reports evaluated in an informative manner and then signed?
• Are the management reports and management decisions archived?