[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Interesting Newsletter - GSSN Oct 1995


                          October, 1995

    Information Security System Responsibilities, Structure and Development

Is your vital business information safe or are you just assuming that this
information is safe? Have you established an adequate Information Security
System (ISS) to protect your key information against unwanted external or
internal visits and use? The changes in the usage and utilization of the
information technology have created new requirements for both the
information management and its security. However, still too often businesses
and companies do not take the information protection seriously enough to
establish proactive information security systems and other controls. If some
controls have been established, these controls often focus primarily on the
physical security instead of the company-wide information security. The
business information such as business plans, market strategies, trade
secrets and others is a very valuable organizational asset, and it would be
foolish not to initiate adequate security controls to protect this key asset
within the whole organization including physical facilities, employees,
external contractors, computers systems, contract negotiation processes and
any other business process. 

Who is responsible for the information security? Everybody. However, the
extent of this responsibility varies from one function to another or from
one person to another. Fundamentally, the top management including the
organization's CEO is responsible for establishing the information security
system. The top management is responsible for defining, documenting and
comunicating the company-wide information security policy to all levels of
the organization. In addition, the executive management may establish either
specific or general information security objectives to transform the
organization from one situation to a more protected situation. The executive
management is also responsible for appointing the Information Security
Officer (ISO), who performs and acts as the Management Representative and
has the authority and responsibility to establish, implement and maintain
the information security system. All other members of the organization are
responsible for implementing the information security policy in their daily
activities. Some individuals may have additional responsiblities such as ISS
auditing and monitoring in accordance with the documented and planned
information protection arrangements. The top management is responsible for
reviewing the performance and suitability of the system periodically to
ensure its suitability and any need for revising the policy, objectives or
the system itself.

The structure of ISS is unique to each organization. The responsibilities
and authorities are different in all systems, because organizations are
unique. However, there are some general requirements that can be used to
design and develop the unique ISS for any organization, but still meet basic
and fundamental information protection requirements. These requirements can
include all or some of the following main categories: Management
Responsibility, Client / Customer Contract Security, Information Systems
Design and Development, Document and Data Control - & Configuration
Management, Purchasing Information Security, Facility Management and
Physical Security, Information Systems Management, Information Security
System Audit, Personnel and Employee Security, Legal Information Security
Matters, Counter Information Security System Activities and Information
Security Insurance Administration. Each of these general categories have
more detail and specific requirements including both documentation, activity
recording and data control requirements. Using these requirements and any
guidelines, the business can establish its unique information security
system that protects the integrity of the information effectively and

The information security system has to be designed and then developed to
eliminate any potential security risks. This requires planning and proactive
thinking. The development can start from the Information Security Policy and
Objectives that is developed by the executive management. After this the
completed system manual can be developed by the Information Security
Officer. This ISS manual should make reference to all applicable additional
procedures and instructions that are used within the system. Typically,
these procedures (such as Information Security Disaster Plan and Procedures)
described WHOs, WHATs, WHENs, WHEREs and in some cases also HOWs such as
back-up instructions and methods. If it is necessary, additional security
plans can be developed for any specific project or process. These plans
should be consistent with an overall ISS. The masterlists or other
equivalent methods should be developed and maintained to control all ISS
plans and documentation. The planning of the information security system
provides an excellent opportunity for the management to evaluate and analyze
all information risks and design practical and useful approaches to
eliminate these risks.

Nobody should underestimate the need for the ISS, but this need should not
be artificially created either. The information security system as any
system has to be practical and really bring tangible benefits. This is one
reason why the information security assessment should be performed prior to
the development project. This assessment can identify both weaknesses and
strengths in the information security. Careful evaluations can help the
business to focus on real issues, and not to develop the system that meets
some imaginary requirements, but fails to address those key areas and
functions of the organization, where additional controls would really be
needed. The information security system should be developed for the
management, but the ISS users do also include all employees within the
organization - and as in many other organizational development, the complete
implementation of the ISS shall be dependent on the employee security and
their awareness.