1. Organization of information security

1.1 Internal organization and information security policies

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

1.2 Mobile devices and teleworking

1.1.1 Information security in project management 

A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.
  • Define an “information security policy” which is approved by management and which sets out the organization’s approach to managing its information security objectives.
  • Make sure that the information security policy contains the definition of information security, objectives and principles to guide all activities relating to information security. Furthermore, the policy should assign general and specific responsibilities for information security management to defined roles.
  • The information security policy should be supported by topic-specific policies (e.g. access control, backup, communications security, etc.) which further mandate the implementation of information security controls.
  • Review the policies for information security at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.

1.1.2 Information security roles and responsibilities

All information security responsibilities should be defined and allocated.
  • Define responsibilities for information security risk management activities and for acceptance of residual risks.
  • Identify responsibilities for the protection of individual assets and for carrying out specific information security processes.
  • If relevant, appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identification of controls.
  • Individuals with allocated information security responsibilities may delegate security tasks to others, but they remain accountable and should determine that any delegated tasks have been correctly performed.

1.1.3 Segregation of duties

Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
  • Make sure that no single person can access, modify or use assets without authorization or detection.
  • Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, consider other controls such as monitoring of activities, audit trails and management supervision.

1.1.4 Contact with authorities

Appropriate contacts with relevant authorities should be maintained.
  • Implement procedures that specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner.
  • Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in laws or regulations, which have to be implemented by the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers and health and safety, e.g. fire departments, telecommunication providers and water suppliers.

1.1.5 Contact with special interest groups

Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained.
  • Consider membership in special interest groups or forums as a means to improve knowledge about best practices; receive early warnings of alerts, advisories and patches pertaining to attacks and vulnerabilities; and exchange information about new technologies, products, threats or vulnerabilities.
  • If necessary, establish information sharing agreements to improve cooperation and coordination of security issues. Such agreements should identify requirements for the protection of confidential information.

1.1.6 Information security in project management 

Information security should be addressed in project management, regardless of the type of the project.
  • Integrate information security into the organization’s project management method(s) to ensure that information security risks are identified and addressed as part of a project.
  • Require that information security objectives are included in project objectives; an information security risk assessment is conducted at an early stage of the project to identify necessary controls; and information security is part of all phases of the applied project methodology.
  • Address and review information security implications regularly in all projects.
  • Define and allocate responsibilities for information security in the project management methods to specified roles.