| Per ISACA, key elements and roles/responsibilities of security management lead to the successful protection of information systems and assets, reducing losses to the organization: Senior management commitment and support A successful security-management program requires the full support of senior management. Polices and procedures Policies and procedures should be created and implemented in alignment with the organizational strategy, and a clear definition of sensitive and critical assets should be created. The confidentiality, integrity, and availability of these assets should be protected through proper risk management and mitigation, including specific guidelines/practices and procedures. Organization The organization should have both general and specific responsibilities defined for the protection of information assets, as well as clear communication and definition of security roles and responsibilities. Security awareness and education All employees (internal and external) and third parties should receive appropriate and regular training, as well as updates on the importance of security in organizational policies and procedures. This includes security requirements, legal responsibilities, legal controls, and training on the correct use of information technology resources and organizational data. Monitoring and compliance The IT organization should implement monitoring and compliance controls that allow for the continuous assessment of the effectiveness of the organization's security programs. Incident handling and response A formal incident handling and response capability should be established and should include planning and preparation, detection, initiation, response, recovery, closure, post-incident review, and defined key roles and responsibilities.
In addition, the organization should define security management roles and responsibilities. These responsibilities should be considered: Process owners Ensure that appropriate security measures, consistent with organizational policy, are maintained Users Follow procedures set out in the organization's security policy Information owners Are ultimately accountable for how assets and resources are protected, and, therefore, make security decisions, such as determining data-classification levels for information assets so that appropriate levels of control are provided related to their confidentiality, integrity, and availability. Executive management such as the board of directors is an example of information owners. IS security committee Should constitute a formalized IS security committee formed to support the input of users, executive management, security administration, IS personnel, and legal counsel Security specialists/advisors Assist with the design, implementation, management, and review of the organization's security policy, standards, and procedures IT developers Implement information security IS auditors Provide independent assurance to management of the appropriateness and effectiveness of information security objectives
|
