S 2.339 Cost-effective use of resources for information security

Initiation responsibility: Top Management

Implementation responsibility: Top Management, IT Security Officer

In order to reach the security objectives specified, it is necessary to provide adequate resources.

Providing the resources for information security

Information security requires sufficient financial and personnel resources as well as suitable equipment. The top management of the organisation must provide the information security management team with adequate amounts of these resources.

It is recommended to have the IS management team point out which resources are needed for the implementation of all safeguards identified based on the security objectives. On the one hand, this serves as a basis for making the management decisions regarding the allocation of resources, and on the other hand to specify the project plans and implementation deadlines.

Access to external resources

The internal security experts are often so busy with their routine tasks that they are not able to analyse all factors influencing security or implement security solutions when they are assigned new tasks or there are new developments. This includes, for example, altered legal requirements, the introduction of new IT systems, as well as following current developments in technology. To handle peak workloads, it may be necessary to re-assign extra internal employees or use external experts. Such needs must be communicated by the internal security experts so that management can provide the required resources.

It must be ensured that all necessary security safeguards are implemented, regardless of whether they are implemented by external or internal personnel.

Resources for the IT Security Officer

Even the most expensive technical solutions are useless without a properly functioning organisational structure for information security. Experience has shown that appointing an IT Security Officer is frequently the most effective security measure. After appointing a security officer, the number of security incidents in most organisations drops significantly. The IT Security Officer requires the following in order to actually be able to improve the security level:

In small organisations, it is possible for one employee to assume the role of IT Security Officer parallel to his other roles.

Resources for the information security management team

An IS management team should always be set up when the IT Security Officer cannot support all business processes and projects any more, i.e. once the organisation has reached a certain size.

A lot of time and effort is usually required to set up the security process for the first time. In many cases, it is therefore useful to provide the IS management team with additional personnel resources for this phase.

Provision of resources for IT operation

The basic requirement for secure IT operations is that the IT functions smoothly, i.e. that it is planned and organised properly. Sufficient resources must be made available for IT operations. In general, the typical problems arising in IT operations (tight budgets, overburdened administrators, and an unstructured or poorly maintained IT landscape) must be solved first in order to effectively and efficiently implement the actual security safeguards. Whether or not the resources provided are sufficient is indicated by whether or not the IT users receive adequate support or whether or not all hardware and software is tested as planned.

Economic aspects in the security strategy

The security strategy should also consider economic aspects right from the start. When selecting the security safeguards to be implemented, the resources available should also be taken into account. If there is not enough technical or personnel support available for certain measures, then the strategy must be revised. In many cases, it is possible to find other safeguards that create a similar level of security. However, if the security objectives formulated and the financial, technical, or personnel capacities available to reach these objectives are widely disparate, then the security objectives as well as the business processes need to be reconsidered in general. In this case, management must be informed of these discrepancies so that they can initiate the necessary corrective measures.

When specifying security safeguards, the personnel and financial resources required for their implementation must be mentioned specifically. This includes stating who has been assigned to be responsible as well as additional contact persons, but also specifying detailed schedules and which materials need to be purchased. It is also recommended for all planned security safeguards to document if the resources planned for information security were made available on time as well as the reasons for any deviations in the project. This is the only way to achieve long-term improvement and avoid disruptions.

Resources for monitoring information security

The suitability and effectiveness of all security safeguards must be checked regularly. Sufficient resources must be made available in this case as well. As a general rule, the people who have designed the security safeguards should not check their effectiveness and suitability. It is also possible to use external expertise for this purpose in order to avoid organisational blind spots.

The question of whether or not adequate resources are provided for information security is much more difficult to answer than it is to examine the purely technical aspects.

Review questions:

© Federal Office for Information Security. All rights reserved.