S 2.337 Integrating information security into organisation-wide procedures and processes
Initiation responsibility: Top Management
Implementation responsibility: IT Security Officer, Top Management
Information security must be integrated into all business processes. It must be ensured in this regard that all necessary security aspects are not only taken into account in new projects, but also in applications currently in use.
In larger organisations in particular, there is often already a global risk management system implemented. Operational risks, including the IT risks, are an integral component of this risk management. Information security is also a basic requirement in an organisation and applies to all its processes. For this reason, the methods used to manage risks in the area of the information security should be co-ordinated with the methods already established for risk management. It is essential that the work instructions or service agreements from different areas of an organisation do not contradict each other.
BSI Standard 100-2 on the IT-Grundschutz methodology as well as the modules in the IT-Grundschutz Catalogues contain specific and detailed recommended measures for the organisation of the security process. For this reason, only brief examples of the most important organisation-wide security safeguards will be provided in the following:
Definition of responsibilities (separation of functions)
The responsibilities and authorities in the information security organisation (or IS organisation for short) must be clearly defined and delegated. In addition, substitution arrangements must be made for every important function.
Specification of lines of communication
The lines of communication must be planned, described, set up, and announced. For all tasks and roles, it must be specified who will inform whom, who must be informed of which actions, and the required scope of the information provided.
Assigning responsibility for business processes, information, applications, and IT systems
People must be assigned responsible for each of the most important business processes, information, IT systems, and applications, but also for the buildings and rooms. Depending on the area and terminology used, the people responsible may be referred to as the information owners, the persons responsible for business processes, or specialists responsible, for example. The specialists responsible must help in the development and implementation of the security strategy. Safeguard S 2.225 Assignment of responsibility for information, applications, and IT components provides additional information.
Drawing up a training concept for IT security
Information security affects all employees without any exceptions. Every individual, through responsible and quality-conscious behaviour, must help to avoid damage and thus contribute to the success of the organisation. This not only applies to the permanent employees, but to everyone working at the organisation, including the doorkeepers and trainees, for example.
Likewise, people who access the business processes, applications, or IT systems from outside, for example mobile employees, also need to be taken into account. Important security safeguards to consider in the context of personnel management such as the selection and hiring of personnel, personnel relocations to other departments, or personnel leaving the organisation, are described in module M 1.2 Personnel.
Furthermore, all employees must be instructed in the security safeguards necessary in their area of responsibility. They should be made aware regularly of security issues in order to sharpen their awareness for risks and precautions when handling information on a daily basis. Management also needs to be included in the awareness-raising concept. Detailed information on this subject can be found in module M 1.13 Information security awareness and training.
Integration of external service providers in the security process
The security management should have an overview of all types of service providers entrusted to perform tasks for the organisation. These can be services directly related to the processing of business-relevant information such as the operation of a computer centre, but also general support services such as security service. The site where the service is provided (organisation or service provider) is irrelevant in this regard.
The security management should estimate for each service provider whether their activity can affect security and which security precautions must be taken in this context. If IT systems, applications, or business processes are outsourced to an external service provider, module S 1.11 Outsourcing must be applied. Employees of service providers performing tasks in the organisation's building for a longer period must also be included in the security concept.
Integrating security aspects into all business processes
The management must have an overview of the business-critical information, specialised tasks, and business processes. The experts responsible for special areas and the information security management must create specific rules for handling the relevant security aspects (e.g. safeguards and the classification and labelling of information).
Rights and authorisations
In order to protect valuables, access to rooms, access to IT systems and applications, and access to information must be controlled. More detailed information can be found in the following safeguards, for example: S 2.6 Granting of site access authorisations, S 2.7 Granting of (system/network) access authorisations, S 2.8 Granting of (application/data) access authorisations, and S 2.220 Guidelines for access control.
Change management
Change management deals with the planning of changes to hardware, software, and processes. Organisational specifications must be created to ensure that information security aspects are taken into account when making changes. More detailed information can be found in safeguard S 2.221 Change management, for example.
Configuration management
Configuration management consists of all safeguards and structures necessary to monitor the status of the objects under examination, starting with the identification of these objects and continuing through their inventory and updating until they are withdrawn from operation.
Objects under examination (configuration elements) may be entire sections of the infrastructure or specific applications and IT systems, but could also be individual components of these items (e.g. the documentation).
In the framework of configuration management, processes and regulations need to be introduced that describe how to manage information on the properties of the configuration elements used as well as information on security-related malfunctions, problems, and changes arising in relation to configuration elements. Typical tasks include, for example, updating the list of IT systems or updating security-related documentation after making changes to business processes or applications. Recommendations for configuration management can be found in module S 1.9 Hardware and software management.
Review questions:
- Are the IT Security Officer and the information security management team adequately involved in making security-related decisions?
- Are there rules specifying that the security management is integrated in all processes and developments relevant to information security?
- Are the responsibilities and authorities in the organisational structure for information security clearly defined and delegated?
- Are there effective substitution arrangements available for all important functions of the IS organisation?