A 6 organization of information security

iFour Consultancy

A6 : Organization of Information Security

The administrative structure of the organization and its relationships with external parties must promote effective management of all aspects of information security.

Includes maintaining the security of the organization's information, its processing facilities, and any information or facilities that are accessed, processed, communicated to or managed by external parties.

A.6 Organization of Information Security

1. Internal Organization2. Mobile Devices and Teleworking

Software Development Companies in India

http://www.ifour-consultancy.com/


A.6.1 Internal Organization

Objective: To establish a management framework to initiate and control the implementation and operation of information security within the organization.

Executive CommitteeChaired by the Chief

Executive Officer

Audit CommitteeChaired by Head of

Audit

Security CommitteeChaired by Chief

Security Officer CSO

Information Security Manager

Security Administration Policy & Compliance

Risk & Contingency Management Security Operations

Local Security Committees

One per location

Information Asset Owners (IAOs)

Site Security Managers

Security Guards Facilities Management

Risk CommitteeChaired by Risk

Manager

NOTE: This is a generic structure chart. One should replace it by one describing a particular Organization’s actual management structure for information security.




A.6.1 Internal Organization (Conti…)

A.6.1.1 Information security roles and responsibilities

A.6.1.2 Segregation of duties

A.6.1.3 Contact with authorities

A.6.1.4 Contact with special interest groups

A.6.1.5 Information security in project management




A.6.1.1 Information Security Roles and Responsibilities

Control: All information security responsibilities shall be defined and allocated.

Identification of the individual/individuals responsible for security of each information facility

Clear definition and identification of assets and associated security

controls for each information facility

Note: Before defining and allocating responsibility to individuals company should create Organizational chart.




A.6.1.2 Segregation of Duties

Control: Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.

The first is the prevention of conflict of interest, the appearance of conflict of interest, wrongful acts, fraud, abuse and errors.

The second is the detection of control failures that include security breaches, information theft, and circumvention of security controls.

Two Primary Objectives:




Control: Appropriate contacts with relevant authorities shall be maintained.

A.6.1.3 Contact with Authorities

Following points could be included:Specification of the manner and timing in which breaches shall be communicated to

external authorities so as to ensure appropriate reporting

Development of procedures, policies and contact lists that specify by whom and when

external authorities should be contacted




Control: Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.

A.6.1.4 Contact with Special Interest Groups




Control-set out the basics of how

information security should be considered as part of the overall

framework of the project management

with organization

creation of “mini-ISMS” within the

project to ensure that risks are identified

and managed

A.6.1.5 Information Security in Project Management

Control: Information security shall be addressed in project management, regardless of the type of the project.




A.6.2 Mobile Devices and Teleworking

Objective: To ensure the security of teleworking and use of mobile devices.

Applicability

Mobile PhonesDesktop computers used off-premises

Notebook, palmtop computers and

laptop

Media and portable storage devices




A.6.2.1 Mobile Device Policy

Control: A policy and supporting security measures shall be adopted to manage the risks introduced by using mobile devices.

Regular data backups for

stored sensitive data

Physical security

measures

Secure communication methods for

transmitted data such as

Virtual Private Network

Updates for operating

system and other software

updating

Access control and

appropriate user

authentication (biometric-

based)

Cryptographic methods for

sensitive data

Protective software such as anti-virus and others




A.6.2.2 Teleworking Policy

Control: A policy and supporting security measures shall be implemented to protect information accessed, processed or stored at teleworking sites

Environmental and physical security measures

Policies concerning safety of private property used at the site

Appropriate user access control and authentication

Security measures for wireless and wired network configurations at the site

Cryptographic techniques for communications from/to the site and data storage

Data backup at regular intervals and security measures for those backup copiesSoftware Development Companies in India



Management Commitments

Visible support and clear direction for

information security initiatives which

includes providing appropriate resources

for information security controls

Assurance of formulation, review

and approval of appropriate

organization-wide information security

policy;

Coordination of information security efforts all over the

organization, including committee(s) and

designation of information security

officer(s)

Appropriate management controls over new information capabilities, systems

and facilities including the planning

for the facilities

Reviews at regular intervals of the effectiveness of

information security policy, including

updating of the policy as needed and

external review as appropriate.




References

1. http://it.med.miami.edu/x2227.xml2. http://it.med.miami.edu/x1771.xml3. https://www.google.com/url?sa=t&rct=j&q=&

esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CC4QFjAA&url=http%3A%2F%2Fwww.iso27001security.com

4. iFour Consultancy’s ISMS policy documentation – http://www.ifour-consultancy.com

5. http://www.csoonline.com/article/2123120/it-audit/separation-of-duties-and-it-security.html


http://it.med.miami.edu/x2227.xml






https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CC4QFjAA&url=http://www.iso27001security.com




http://www.csoonline.com/article/2123120/it-audit/separation-of-duties-and-it-security.html





A 6 organization of information security

Documents

Transcript of A 6 organization of information security