Certificate Authority   SSL Certificates   Manuals   Demos   Downloads   Support/Advice   News/About   

6 Organisation of Information Security

Submitted by Digi-Sign on 20 February, 2008 - 16:29.

6 Organisation of Information Security

6.1 Internal Organisation

PDF Control objective: management of information security within the Organisation and establishment of a management framework for the initiation, implementation and control of the ISMS.

    6.1.1 Management commitment to information security

    The Organisation’s management actively supports information security within the Organisation through clear direction, demonstrated commitment, explicit assignment and acknowledgement of its – and everyone else’s - information security responsibilities.

      6.1.1.1 The board has, in approving this Manual and the information security policy, expressed its clear support for information security within the Organisation and ensured that the information security policy meets identified information security risks and supports the business goals.

      6.1.1.2 The board has explicitly assigned lead responsibility for information security, in the management team, to the Director General of IT (also referred to in the organisational structure in Appendix III as the “Change Manager”)

      6.1.1.3 The board has allocated clear responsibilities to management and specific individuals for specific aspects of information security and these responsibilities are documented throughout the ISMS.

      6.1.1.4The board has ensured that there are adequately funded, resourced and trained to provide the level of information security it requires.

      6.1.1.5The board has identified the need for specialist information security advice and has appointed Digi-Sign & Vigitrust to provide this expertise, reporting to the Director General of IT. The Director General of IT is responsible for reviewing the effectiveness and value of this advice and ensuring that it is co-ordinated across the Organisation.

      6.1.1.6 The board has set up a dedicated management group to support the Director General of IT in managing information security within the Organisation, to be called the Information Security Committee. The goals of this committee, its members and its method of working are set out in procedure DOC 6.1.

    6.1.2 Information security co-ordination

    Due to the small size of the organisation, it co-ordinates its information security activities through a the Trust Centre Managers consisting of Director General of IT and the Information Security Manager from different parts of the organisation who have relevant roles and job functions

      6.1.2.1 The goals of the managers and methods of working are set out in procedure DOC 6.2.

      The Organisation has clearly defined all information security responsibilities.

    6.1.3 Allocation of information security responsibilities

      6.1.3.1 Responsibilities for specific information security procedures are clearly defined throughout the ISMS, and are documented in individual job descriptions in line with the requirements of 8.1.1 below.

      6.1.3.2 The Director General of IT, who has lead responsibility in the management team for information security (see 6.1.1.2 ) for the development, implementation and maintenance of the ISMS.

      6.1.3.3 The Information Security Manager reports to the Director General of IT.

      6.1.3.4 The Information Security Manager’s responsibilities are documented in his job description and includes the day-to-day responsibility for the implementation and maintenance of the ISMS.

      The Organisation has clearly defined all information security responsibilities

      6.1.3.5 All staff (and certain third party contractors) have accepted their specific responsibilities in the User Agreements which they sign before they are authorized to access organisational information assets.

      6.1.3.6 All information assets have been identified (see 7.1.1) and the security processes associated with each asset have been defined following a risk assessment (see sub section 4.4) and documented on the asset inventory schedules (see sub section 7.1 ).

      6.1.3.7 All assets have identified Owners (see 7.1.2), whose responsibility for the day-to-day maintenance of the controls applied to their asset is documented in their job descriptions (see 8.1.1) and elsewhere through the ISMS.

      6.1.3.8 The two sites have an identified Site Manager, the Information Security Manager, who is responsible for co-ordinating information security activities or carrying out specific processes within the two sites in line with the Manual and applicable procedures. The authority of this individual is in their job descriptions (see 8.1.1).

      6.1.3.9 Authorisation levels are clearly defined and documented (see manual sub section 2.2) and enforce segregation of duties (see 10.1.3).

    6.1.4 Authorisation process for information processing facilities

    The Organisation has defined and implemented a management authorisation process (see DOC 6.4) for new information processing facilities.

    6.1.5 Confidentiality agreements

    A confidentiality and non-disclosure agreement (DOC 6.5) reflecting the Organisation’s requirements for the handling of information is in place (also see 8.1.3) and is reviewed regularly

    6.1.6 Contact with authorities

    The Organisation maintains appropriate contacts with relevant authorities

      6.1.6.1The Information Security Manager is responsible for identifying (DOC 6.6) those authorities with whom the Organization needs to maintain contacts, to support information security incident management (sub section 13.2, below), business continuity management (Section 14, below), and continuous improvement.

    6.1.7 Contact with special interest groups

    The organisation maintains appropriate contact with special interest groups and other specialist security forums and professional associations

      6.1.7.1 The Information Security Manager is responsible, on behalf of the Organisation, for identifying and joining those forums and special interest groups which he considers will enable him to effectively meet the responsibilities contained in his job description.

      6.1.7.2 The Information Security Manager is required to ensure the Organisation has up-to-date information security knowledge, including about the changing malware threat environment.

      6.1.7.3 The Organisation’s Information Security Incident Management procedure (see Section 13) requires the Information Security Manager to have suitable liaison for dealing with incidents

    6.1.8 Independent review of information security
    The Organisation’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, rules, processes and procedures for information security) is independently reviewed at planned intervals, and when significant changes to the security implementation occur.

      6.1.8.1 The Director General of IT is responsible for organizing independent audits of the ISMS. Where necessary, the Director General of IT in conjunction with the Information Security Manager engages expert (technical) external assistance. The audit procedures are contained in DOC 6.7 and sub section 15.3 of this Manual is also applicable.

      6.1.8.2 The ISMS is also subject to periodic reviews by external compliance auditors.

      6.1.8.3 Risk assessments are [independently] reviewed annually to ensure that they are still complete and up-to-date.


6.2 External Parties

Control objective: to maintain the security of organisational information processing facilities and information assets that are accessed, processed, communicated to or managed by external parties

    6.2.1 Identification of risks related to external parties

    The Organisation’s procedures for identifying risks to its information assets and information processing facilities from business processes involving external parties, and for implementing appropriate controls before granting access, are identified in DOC 6.8.

    6.2.2 Addressing security when dealing with customers

    All identified security requirements are addressed, in line with the procedure in DOC 6.8 and the Organisation does not apply this control because none of its customers access any of its information assets.

    6.2.3 Addressing security in third party agreements

    Agreements with third parties involving accessing, processing, communicating or managing organisational information assets or information processing facilities, or adding products or services to information processing facilities, contain or refer to all identified security requirements, as required in DOC 6.8, and third parties are not allowed to access the Organisation’s information assets until such an agreement has been signed.

      6.2.3.1 Where an external provider has a standard agreement and no provision to vary it to meet a client’s requirement, the external parties standard clauses are assessed against the Organisation’s requirements and the risk associated with the gap is assessed before deciding whether or not to proceed with the offered terms. Where there is a significant variation between the requirements and what is offered, the Director General of IT’s approval to proceed with the provider is required.

6.3 Authorizing New Information Processing Facilities

    6.3.1 Scope
    The Organization requires that the procurement of all information processing facilities be subject to a formal authorization process in respect of information security.

    “Facility” is defined as “any system(s) or device(s) that will be used to process or store organizational information or that will connect to an organizational network or other information processing facility.” It includes hardware, software and services.

    6.3.2 Responsibilities

      6.3.2.1 The Information Security Manager is responsible for business approvals.
      6.3.2.2 The Site managers have responsibility for site approvals
      6.3.2.3 The Information Security Manager has responsibility for technical approval
      6.3.2.4 The Information Security Manager has responsibility for security approval
      6.3.2.5 The Director General of IT is responsible for procurement

    6.3.3 Procedure

    a) Approved (as to adequacy for the business purpose) and authorized by the line manager who/whose team will use them (business approval);
    b) Approved and authorized by the local Site Managers (see 6.1.3.8) as to meeting all relevant security policies and requirements are met (site approval);
    c) Approved and authorized by the IT Manager as to compatibility with current (and planned future) system components (technical approval);
    d) Approved and authorized by the Information Security Manager as to meeting information security requirements (e.g. information classification, anti-malware, etc) (security approval).
    e) Signatures and dates must be on the procurement documentation before the procurement can proceed.

    6.3.4 Information Processing Devices

    User-level information processing devices (notebooks, PDAs, mobile phones, etc) are all considered as “facilities” in terms of this procedure and the Organization requires each individual deployment of any such device to be approved and authorized in line with this procedure. Where relevant, a risk assessment will be carried out in line with DOC 4.4

    Adlin Hisyamuddin
    Information Security Manager

    ____________________________

    On:

    08 November, 2007
    ____________________________

    Change history

    Issue 1 08 November, 2007 Initial issue

    ‹ 5 Information Security Policy up7 Asset Management ›