S 3.46 Contact persons for security questions
Initiation responsibility: Top Management, IT Security Officer
Implementation responsibility: IT Security Officer
There should be contact persons for security questions in every organisation for both seemingly simple and technical questions. These contact persons may be IT administrators, the people responsible for IT applications, or the IT Security Officer (see S 2.12 Services and counselling for IT users and S 6.60 Specification of reporting paths for security incidents, for example).
Unfortunately, users are still very hesitant to report specific security problems. If the IT Security Officer is also the contact person for the employees to answer general information security questions, the users will be less hesitant to report specific security problems to this person. Since users frequently ask security questions relating to the private use of IT systems, the IT Security Officers should also provide information not directly related to official business, for example information on the problem of computer viruses and Trojan horses when using the internet or on the protection of personal data when conducting e-commerce. This promotes the openness to security safeguards and increases the level of acceptance of the IT Security Officers. In addition, numerous supposedly private problems may also arise in an office environment.
All employees should know who to contact for security questions and know the reporting paths for security incidents. This could be achieved, for example, by providing a list containing the names, telephone numbers, and email addresses of the particular contact persons in the internal telephone directory or on the intranet.
Review questions:
- Have contact persons for security questions been appointed?
- Do the employees know who are the contact persons for security questions?
- Do the employees know the reporting paths for security incidents?