Security Policy – Organisation of Security

Attribution of Responsibilities

As part of the security of IT systems and networks, all responsibilities must be clearly defined in the organisation. The board of management appoints the officers, along with their areas of competence. Each officer looks after the implementation of security policies within their area. These officers also take part in the annual review.

Definition of Roles

Board of Management:

• approves the general security policy, strategies and directives
• provides the resources required to ensure IT security
• looks after the business security for the organisation
• appoints a Head of Security (CS) and an Information Systems Security Officer (CSSI)

The CS and the CSSI

The CS (Head of Security) and the CSSI (Information Systems Security Officer) act as security coordinators. To this end, they each have the following responsibilities in their areas:

• to draw up and ensure the monitoring and regular updating of the plan of action
• to provide information about the information security strategies to personnel and partners of the organisation
• to ensure that the IT security policy, as well as data privacy, are being respected
• to regularly give the management a progress report over cases relating to security
• to assist personnel in respecting the security rules.

Managers

The respective managers of the organisation’s assets should:

• inventory and classify the goods and the information for which they are responsible
• provide security management for goods and information
• authorise the use of this information
• ensure that suitable security measures are implemented, applied, and periodically verified
• take part in promoting awareness among users.

Security Coordination

The CS and CSSI positions are specifically related to security management for the organisation. The CS and the CSSI draw up, organise, and maintain security. They are the coordinators and the in-house contacts in this area. They are permanent members of the Security Committee, and it is their responsibility to treat all security incidents with the necessary level of care.

These are transversal roles in relation to the hierarchical structure of the organisation, which enables them to act and hold authority over everything relating to security. They are invited to management discussions when opinions in the field of security are required. They also represent the main contact point for external authorities and various specialist groups.

Authorising the Addition of Tools

The security policy should define a procedure to be followed for the addition of any information processing tool.

The addition of new hardware or software (SMEs: see Use of unapproved software and Insertion or removal of hardware and Invalid or non-existent licence and Misuse of organisation’s resources) within the company must be approved by the relevant officer (see definition of responsibilities in point 1 of this chapter). The installation of software downloaded from the Internet falls into this category. This procedure should also be applied for the use of private tools within the organisation, especially if they are connected to a network.

Specialist Advice

The organisation should be in contact with an IT technology security specialist. This will be the favoured contact for all aspects of IT security. They will especially play a role in:

• the definition of security policies and their annual review;
• audit activities;
• meetings to monitor security measures;
• activities for the installation of selected technologies;
• technology watch, keeping the organisation informed of any changes which may affect the level of security.

The director appoints a specialist company to take charge of this activity.

Independent Review of Information Security

The organisation can decide to appoint an external specialist to conduct an annual review of the security policy. The aim of this review is to check that the policies are suitable for the business of the organisation and that they are properly implemented on the ground.

Third-Party Access and Outsourcing

Access – be it physical or logical (access management) – to the resources and information belonging to the organisation by third parties should be granted within a strict framework. Their access must be formally approved by a manager. The relevant parties should work under the direct supervision of a member of the organisation, or sign the document given in the appendix: ‘Security compliance agreement for sub-contractors of the organisation’ (SMEs: see Infiltrating the premises; Aggravated theft; Device recovery; Insertion or removal of hardware).

In any event, the service agreements relating to the sensitive resources of the organisation must include provisions relating to the protection of these resources.