It is known that CI professionals, watchers of all calibers, lobbyists and advocators are after valuable information within and without their companies.
Once the information is taken for granted and becomes part of the immaterial assets of the company, it is absolutely necessary to set up policies to protect the good handling of it and its protection.
Who will do it?
A team specifically dedicated to the Information security.
Next questions comes up, how to set such a team? Who will lead it?
Some aspects to take into consideration when setting up a department of information security must be taken into account.
Knowledge in information security is contained in different models currently available: among them we have those of ISO / IEC series 27000 (information security).
The knowledge relating to Management of System Information Security (ISO 27001) and the Code of Practice for the Management of Information Security (ISO 27002) should be disseminated throughout the organization. However, at the time of structuring a department of information security, companies find themselves in a worrying scenario.
1 - The information security analyst should have a high technical knowledge. I'm not referring to the certifications, I'm talking about practical knowledge and experience in the subject.
2 - Some companies insist on promoting someone internal to the IT Department to the position of Manager of Information Security. The professional would actually have a very different profile compared to that necessary to take responsibility.
As an example, I will describe the profile found among those who are promoted to the position of Manager of Information Security described on the above paragraph:
• He has experience in broader subjects such as database and software development, using security features of the very basic information.
• He does not have a history of participation in lectures / events or trainings on information security.
• He is not acquainted with international standards of information security (e.g. ISO 27002) and does not follow the bulletins about new threats on the Internet.
• He performs reading only on books related to database technologies and languages of software development.
• He has a degree on technology in database, MBA in Information Technology and certifications from Microsoft and Oracle.
- You could guess what was his role in the company? That's right! He was responsible for managing the database. Now he is the Manager of Information Security. He has lots of ground to cover up to reach the necessary profile.
3 - Some companies create a department of information security management to access computing environment. It creates users, changes passwords, sets permissions on directories etc... All this to comply with regulations or audits.
4 - Creating a department of information security subordinated to the area of Information Technology is the most common mistake organizations make.
The security area should be aligned to the legal department and audit on the organization chart. The area of information security subordinated to the director of IT functions more as technical support rather than an area responsible for the whole Management of System Information Security.
Success factors
The success of your company is not connected to the technological arsenal. There are some factors that should be considered when deciding to create a team of information security and implement a Management of System Information Security - MSIS. The first factor is to obtain approval from the organization's managers to launch the project of implementation of the MSIS.
At this stage the project team presents the priorities, objectives and scope for deploying the MSIS. It should also discuss a change in the company's organizational structure, including responsibilities, to meet the project objectives and business needs.
The output of this phase is the approval and commitment of managers to implement the Management of System Information Security.
The second factor is the development of diagnosis and analysis on the level of maturity. During this phase, we map the current situation of the organization and present a list of needed improvements in the processes of information security to set up a link between the organization's strategic planning and implementation of security systems.
The third aspect is the creation of an Interdepartmental Committee for the development of policy and standards for information security, including support of the board and / or senior management, based on guidelines from the Information Security Governance, business needs and regulations.
With the support of the CEO
The creation of a team of information security and the defining of their responsibilities depend mainly on the guidelines established by the board and / or directors. These guidelines should be documented in the policy of Information Security Governance.
Governance of Information Security will clarify for managers the company's strategic objectives in relation to information security. Down the line it will present a list of legal requirements / regulations and contractual requirements involving information security applicable to the business.
The combination of these three factors will help your company in creating a team of information security and implementation of a Management System Information Security.
Sources: ISO/IEC 27001,27002; ABNT
vendredi 23 avril 2010
Inscription à :
Articles (Atom)
