S 3.51 Appropriate concept for assignment and qualification of employees

Initiation responsibility: IT Security Officer, Head of Personnel

Implementation responsibility: Personnel Department, Supervisor

Every employee should have a job description describing the tasks the employee is responsible for. "Everyone should know what they have to do". The tasks should be specified clearly without any overlapping so that there are no problems regarding the areas of responsibility. The employees should know all people who come into contact with their areas of responsibility. This includes all people performing similar tasks or helping the employees perform their own tasks. For example, employees should know who is responsible for IT support so that, on the one hand, problems can be solved immediately after they arise and, on the other hand, employees are not tricked by fake support staff (see T 5.42 Social Engineering).

The roles an employee is to assume must be clearly defined. Building upon the aforementioned, all necessary authorisations must be granted (see S 3.1 Well-regulated familiarisation/training of new staff with their work and S 3.2 Commitment of staff members to compliance with relevant laws, regulations and provisions).

All employees should be trained as to how to perform their tasks, as well as how to use the IT systems needed to perform these tasks. In addition, the employees naturally also need to be informed of all security policies they need to follow. It is recommended to draw up a training concept to this end (see module S 1.13 Information security awareness and training).

Review questions:

• Is there a concept for deploying and qualifying the employees?
• Are the tasks and roles of the employees defined in writing?
• Do the employees know all people coming into contact with their area of responsibility?