GLOBAL STRATEGIC SYSTEM NEWSLETTER October, 1995 Information Security System Responsibilities, Structure and Development Is your vital business information safe or are you just assuming that this information is safe? Have you established an adequate Information Security System (ISS) to protect your key information against unwanted external or internal visits and use? The changes in the usage and utilization of the information technology have created new requirements for both the information management and its security. However, still too often businesses and companies do not take the information protection seriously enough to establish proactive information security systems and other controls. If some controls have been established, these controls often focus primarily on the physical security instead of the company-wide information security. The business information such as business plans, market strategies, trade secrets and others is a very valuable organizational asset, and it would be foolish not to initiate adequate security controls to protect this key asset within the whole organization including physical facilities, employees, external contractors, computers systems, contract negotiation processes and any other business process. Who is responsible for the information security? Everybody. However, the extent of this responsibility varies from one function to another or from one person to another. Fundamentally, the top management including the organization's CEO is responsible for establishing the information security system. The top management is responsible for defining, documenting and comunicating the company-wide information security policy to all levels of the organization. In addition, the executive management may establish either specific or general information security objectives to transform the organization from one situation to a more protected situation. The executive management is also responsible for appointing the Information Security Officer (ISO), who performs and acts as the Management Representative and has the authority and responsibility to establish, implement and maintain the information security system. All other members of the organization are responsible for implementing the information security policy in their daily activities. Some individuals may have additional responsiblities such as ISS auditing and monitoring in accordance with the documented and planned information protection arrangements. The top management is responsible for reviewing the performance and suitability of the system periodically to ensure its suitability and any need for revising the policy, objectives or the system itself. The structure of ISS is unique to each organization. The responsibilities and authorities are different in all systems, because organizations are unique. However, there are some general requirements that can be used to design and develop the unique ISS for any organization, but still meet basic and fundamental information protection requirements. These requirements can include all or some of the following main categories: Management Responsibility, Client / Customer Contract Security, Information Systems Design and Development, Document and Data Control - & Configuration Management, Purchasing Information Security, Facility Management and Physical Security, Information Systems Management, Information Security System Audit, Personnel and Employee Security, Legal Information Security Matters, Counter Information Security System Activities and Information Security Insurance Administration. Each of these general categories have more detail and specific requirements including both documentation, activity recording and data control requirements. Using these requirements and any guidelines, the business can establish its unique information security system that protects the integrity of the information effectively and accurately. The information security system has to be designed and then developed to eliminate any potential security risks. This requires planning and proactive thinking. The development can start from the Information Security Policy and Objectives that is developed by the executive management. After this the completed system manual can be developed by the Information Security Officer. This ISS manual should make reference to all applicable additional procedures and instructions that are used within the system. Typically, these procedures (such as Information Security Disaster Plan and Procedures) described WHOs, WHATs, WHENs, WHEREs and in some cases also HOWs such as back-up instructions and methods. If it is necessary, additional security plans can be developed for any specific project or process. These plans should be consistent with an overall ISS. The masterlists or other equivalent methods should be developed and maintained to control all ISS plans and documentation. The planning of the information security system provides an excellent opportunity for the management to evaluate and analyze all information risks and design practical and useful approaches to eliminate these risks. Nobody should underestimate the need for the ISS, but this need should not be artificially created either. The information security system as any system has to be practical and really bring tangible benefits. This is one reason why the information security assessment should be performed prior to the development project. This assessment can identify both weaknesses and strengths in the information security. Careful evaluations can help the business to focus on real issues, and not to develop the system that meets some imaginary requirements, but fails to address those key areas and functions of the organization, where additional controls would really be needed. The information security system should be developed for the management, but the ISS users do also include all employees within the organization - and as in many other organizational development, the complete implementation of the ISS shall be dependent on the employee security and their awareness.