S 2.335 Defining the security objectives and strategy

Initiation responsibility: Top Management

Implementation responsibility: Top Management, IT Security Officer

Information security is an important factor in the ability of a company or government agency to successfully reach its goals and accomplish its tasks. Information security is not just a project that is performed once and is then finished, but is a continuous process that needs to be anchored as such in all business processes and the minds of every employee. The security process must be initiated and established by the top management. At first, it is necessary to specify adequate security objectives as well as a strategy for information security. In addition to the strategic statements, it is also necessary to develop conceptional specifications and create the general organisational conditions needed to enable the proper and secure handling of information in all business processes of the company or government agency.

The security objectives should be carefully defined at the beginning of every security process. Otherwise there is a risk of developing security concepts that do not meet the information security requirements of the government agency or company. Methodically planning information security helps a company or government agency to reach its basic goals and accomplish its tasks. For this reason, the general goals of the organisation as well as the most important business processes and information form the foundation for defining the security objectives. Appropriate and accessible security objectives are prerequisites for all further steps in the security process. The goals must be realistic, practical, convincing, and comprehensible. The protection requirements of individual pieces of information, business processes, applications, IT components, and networks can then be derived in the framework of the security design, which then determines which security safeguards need to be implemented.

When implementing security safeguards, an organisation will always have to strike a compromise between the costs and the effort expended. For this reason, it should be clear which information and business processes contribute to an organisation's ability to perform its tasks and what value the organisation places on this ability in order to formulate appropriate security objectives.

The security objectives must be supported by the top management of the company or government agency, and top management is also responsible for these objectives. The security objectives should be defined and documented by the information security management team together with the management. Depending on the organisational structure, it is advisable to include the heads of the major business areas (e.g. the heads of the departments or divisions) in the process of defining the security objectives.

A detailed description of how and in what level of detail the security strategy and security objectives should be documented can be found in BSI Standard 100-2 IT-Grundschutz Methodology.

The security objectives and security strategy should be examined regularly to determine if they are still adequate and up-to-date. The security objectives and security strategy must be examined and modified accordingly in this case, and especially after changes to the general conditions, business processes, or IT environment.

The security process can only be successful over the long term when management regularly checks the effectiveness and efficiency of the security strategy. The improvements resulting from these checks must be used to adapt the security process accordingly.

Review questions:

© Federal Office for Information Security. All rights reserved.