Thursday, 6 September 2012

Information Security & the organisation

The ultimate responsibility for governance of an organisation lies with the senior management, it will need to show that it is taking due care and due diligence with the security of its assets and with compliance in meeting regulatory and statutory requirements. In order for the senior management to select the best policies and make the necessary decisions over the best methods of protecting its assets, the board will need advice on possible controls and the impact and residual risk.

The function of the information security professional within the organisation is to provide information security to protect the assets of the organisations, those assets may be intangible such as electronically information or tangible such as the paper records and the facilities of the organisation.

The role of the information security professional is to provide senior management with information on the threats, vulnerabilities, countermeasures, risk and impacts so they can make the decisions about the information security policies. To implement the decisions of the senior management on information security and to work with other departments in the organisation to ensure that security policies are implemented within the organisation.

An effective information security program will support the organisational aims and goals, these are defined by the senior management board for the whole of the organisation and based on how they see the organisation strategic development. Security must be enabler of the goals and aims rather than being an impediment to them. In order for this to happen, those in information security must understand the business and activities within the organisation so they support those activities and not hinder them.

In addition to being an enabler of the organisations aim and goals it has to be responsive to the changes within the organisation and the environment it operates within, it has to respond to changes in the threat environment and changes to the organisations strategic aims and goals.

It will also need to make employees aware of the information security and to educate them in the policies, procedures, standards and guideline. Education ensures that the employees are not just trained but understand why the information security is being implement, the consequences to the individual and the organisation if there are breaches of the information security policies.

The position of information security in the organisation

For a long time information security has been considered a part of IT, a function to protect the IT infrastructure, however information security is more than this, it is about protecting the information assets of an organisation. The effectiveness of the information security program will be improved if the IT and IS are segregated avoiding a conflict of interest between those that are running and development the IT infrastructure and those who are responsible for securing the assets of the organisation. However it must be resourced appropriately by the senior management board.

Within some organisation this has gone further with the functions of security and information security being combined to ensure that a layered defence with both physical and environment security being incorporated with the traditional information security to protect all the organisations assets.

No comments:

Post a Comment