S 2.336 Acceptance of overall responsibility for information security at the management level

Initiation responsibility: Top Management

Implementation responsibility: Top Management

The management and guidance of a company or government agency and the associated management tasks is a big responsibility. This not only includes responsibility for reaching objectives, such as the level of business success, for example, but also to the early detection and minimisation of potential operating risks. These risks also include the risks arising from inadequate information security, among others.

Guaranteeing an adequate security level over the long term is a complex task. It requires a systematic approach as well as a continuous and targeted security process. It is the task of every organisation's management to initiate, control, and monitor this process. In smaller organisations, this task is often performed personally by a member of management. In average-sized and large organisations, the task of information security is delegated to a person employed only for this purpose, the IT Security Officer. Depending on the size and type of organisation, there may be other people entrusted to perform security tasks only or in addition to their other tasks. It makes sense to establish a suitable organisational structure for this purpose in order to enable adequate control of the various subtasks arising in the area of security. However, management still holds overall responsibility for security, regardless of how many people have been assigned to perform security tasks.

Management should be informed regularly on the possible risks and consequences of a lack of information security. To accomplish this, it is recommended to point out the following issues to management (see also S 3.44 Making management aware of information security issues):

• descriptions of the security risks, the costs associated with them, and their impact
• impact of security incidents on critical business processes
• legal and contractual security requirements
• overview of standard procedures for information security for the industry in which the organisation operates

Even though management is responsible for achieving the security objectives, all employees of an organisation must support and help design the security process. For this reason, the following principles should be followed:

• Assumption of overall responsibility for information security
  
  The initiative for information security should be taken by the top management of the organisation. The task of "information security" should be actively supported by the top management of the organisation.
• Integration of information security
  
  Information security must be integrated into all processes and projects. Furthermore, all persons involved must be adequately informed of the security process and motivated to use and maintain this process.
• Defining responsibilities
  
  The top management of the organisation appoints the employees responsible for information security and provides them with the necessary authorities and resources.
• Controlling and monitoring
  
  The management must actively initiate, guide, and monitor the security process. To accomplish this, management must be aware of the impact of security incidents on the business activities, specify the security objectives, and create the general conditions necessary to reach these goals.
• Setting appropriate goals
  
  There is no such thing as perfect information security. For this reason, it is important to set the security objectives so that, on the one hand, they can be reached with a reasonable amount of effort (in terms of personnel, time, and financial resources) and on the other hand, to reduce the security risks to an acceptable level.
• The function of a role model
  
  Management also acts as a role model when it comes to information security. Among other things, this means that management must also follow all security rules specified.
• Continuous improvement
  
  The appropriateness and effectiveness of all elements of security management must be continuously checked. All vulnerabilities detected must be consistently eliminated, and all potential improvements identified must be implemented. It is also important to recognise possible future developments, changes to the general conditions, and potential threats as early as possible.
• Communication and knowledge
  
  The management and the IS management team must motivate the employees and ensure sufficient training and awareness-raising measures are available. In particular, the employees must be informed of the reasons and purpose of technical security safeguards as well as of organisational specifications. In addition, the users should also be involved when planning the implementation of safeguards so they can contribute their ideas and assess the practicability of the security safeguards.

Review questions:

• Has top management clearly taken on responsibility for information security?
• Does management allow itself to be informed regularly of the potential risks and consequences of a lack of security safeguards?
• Has top management appointed people to be responsible for security?
• Does management lead by example when it comes to information security?