Security – ISMS – Organisation Management

Organisation Management

Requirements

In an ISMS, Organisation Management is concerned with definition of roles and responsibilities for functions of the overall security framework. This is needed for the creation of the ISMS and ongoing management of policies and processes within the security framework.

The successful operation of the company ISMS depends on clarity on ‘who does what’. This is to ensure security related activity is: 1) actually carried out, 2) done correctly, 3) effective. This involves routine ‘business as usual’ operational duties and tasks that may be required during handling of a security incident. This includes any contact with third party service providers.

As a minimum, consider the following for inclusion in the policies and guidelines in this area of your ISMS:

• Overview of Responsibilities
• Segregation of Duties

It is important to define responsibilities for interaction with specialist organisations involved in the management of security matters. How broad this extends will depend on legislative requirements in your area of operation, potentially:

• Contact with Authorities
• Contact with Interest Groups
• Contact with Security Specialists

Typically, these are tasks that are important during reporting of security incidents. They also have relevance when gathering information about emerging threats to maintain ongoing security awareness.

If you think this implies that security is no longer a topic that can be kept entirely in-house, you are correct! More and more countries and industry regulators are introducing rules that demand reporting of security incidents. This is to allow details of the impact of breaches to be analysed and shared. This is especially important when incidents involve the exposure of personal information. Refer to the NZ Privacy Act and the EU GDPR for details.

Likewise, an organisation’s understanding of the threat landscape must be kept current. It is critical that an appointed Security Advisor, or similar role, acquires regular updates on security matters and advice from relevant interest groups.

Roles and Responsibilities

In larger organisations there are a number of roles that could be created to manage different responsibilities within the ISMS:

• Security Advisor – responsible for the creation and ongoing management of security policies. This role requires a person that has knowledge and expertise in physical and ICT security, as well as an understanding of the business and its systems.
• Security Council – responsible for the ongoing review of security policies and all other security matters, including client audits, risk assessments and revews. The Security Council will ensure major corrections to policy are acceptable, relevant and effective.
• Senior Organisation Managers – have a shared responsibility that includes ensuring everyone is aware of security policies and that those policies are enforced. These senior company managers are also involved in the setting and ongoing review of policies – they may be members of the Security Council – to ensure alignment with the business needs.
• Site Security Officer – responsible for ensuring that security policies are relevant to individual sites (for large organisations, one SSO per site may be required) and are enforced throughout the site. These roles would report to the Security Advisor on security matters and be actively involved in the formulation and implementation of security measures for their individual site.
• Team Leaders, Employees, Contractors, 3rd Parties – are responsible for all actions undertaken using their account/s for system access. The important point here is to include all non-employees – contractors and third party partners – in all security policies and processes so their activity is not excluded from consideration of the security impact.
• Service Desk – a formal channel within the ICT team acting as the primary communication point for all queries relating to the security policies. The Service Desk role is critical to assist with the coordination of security management, service request logging, communicating information about security incidents, etc within the ICT service management framework.

In smaller organisations, these functions are still necessary for an ISMS to be effective, but several of the roles and responsibilities would be combined into a smaller number of roles, or perhaps outsourced. The key here is to ensure the various responsibilities are understood and assigned to a defined role so relevant security related duties are carried out as required.

To ensure appropriate expertise is available and to maintain the segregation that is needed for some aspects of an ISMS, a small company may outsource several of the security functions. It is not unusual for a small business to have an individual within the company who is responsible for all aspects of the security framework – a Security Advisor – but most or all activities relating to the framework are assigned to one or more external partners.

In cases where security activity is outsourced, an authorised company individual must be tasked with managing the business partner.

A Word From Our Sponsor…

To ensure the effectiveness of an ISMS and related security policies and standards, it is essential to have executive or senior management sponsorship. It is hugely important to ensure the ‘top level’ involvement in security is visible within your organisation to emphasise the criticality of operating with a security framework. This executive sponsorship will also help to ensure alignment between company strategy and any element of the ISMS.