S 2.225 Assignment of responsibility for information, applications and IT components

Initiation responsibility: Head of IT, Top Management, IT Security Officer

Implementation responsibility: Specialists Responsible, Employee, Administrator

In order to obtain comprehensive overall security, it is necessary for all employees in the organisation to participate in the implementation of the required security safeguards. For this reason, it must be specified for all information, applications, and IT components who is responsible for them and their security. A specific person (including a substitute) should always be appointed responsible instead of an abstract group so that it is clear who is responsible at all times. For more complex information, applications, and IT components, all persons responsible and their substitutes should be mentioned by name.

By the same token, all employees should of course know which information, applications, and IT components they are responsible for and how they are responsible for them.

At the same time, every employee is responsible for everything within their area of influence unless the responsibilities have been otherwise distributed. For example, the management of the organisation is responsible for all basic decisions when introducing a new application, the Head of IT together with Information Security Management is responsible for drawing up the security policies for the IT components, the administrators are responsible for their correct implementation, and the users are responsible for handling the corresponding information, applications, and systems with care.

The Specialists Responsible, being the "owners" of the information and applications, must ensure that:

• the protection requirements of the information, applications, and IT components were determined correctly,
• the necessary security safeguards are implemented,
• this is checked regularly (e.g. daily, weekly, monthly, etc.),
• the tasks required for implementing the security safeguards are clearly defined and assigned to someone,
• system access and/or access to the information, applications, and IT components is controlled,
• any deviations threatening information security are documented in writing.

Together with the Information Security Management, the Specialists Responsible must decide how any eventual residual risks will be handled.

Review questions:

• Is it clear for all information, applications, and IT components who is responsible for them and their security?
• Have all employees been informed of which information, applications, and IT components they are responsible for and how they are responsible for them?