Commentary

It is important to ensure that the corporate organisation is positive about its delegation of security responsibility to areas where those responsibilities can be properly discharged. As yet very few organisations have appointed a security officer at Board level. The security profession is most readily recognised through the general administration office and usually centres on physical security through the use of uniformed guards and CCTV cameras. Consequently the board level responsibility is often heavily weighted in that direction.

Many organisations will delegate physical security to an operational Director and computer or information security to the I.T. Director. In practice this splits the job and often the budget such that neither director can deliver the best security value for money to the organisation. This situation should be avoided wherever possible. As organisations move into e-commerce the need for a strong image of corporate information security is seen to be paramount.

It is stressed that this clause is primarily about people rather than technology, and how they are organised to manage the security of information in their departments. As with most business processes this is a multi-level activity. The executive level corporate Information Security Policy will outline the broad objectives and the subordinate management levels of documentation will interpret that policy into specific rules. The resultant mix can often require a compromise where there are practical limits on the degree of control and auditing which can be achieved within the operational function. This could well result in similar policies being met in differing ways by different parts of the organisation with sets of rules each designed to fit best with the local working conditions.

The key messages are to allocate responsibility and then to enable those staff by giving them proper authorisation and authority to discharge their responsibilities. This enabling process often involves the use of specialist fora or steering groups who are the guardians of the interpretation of corporate policy across the organisation.

Organisations with limited resources should consider retaining external specialist advice especially where they anticipate the need for investigation into security breaches that might eventually lead to disciplinary action.

This delegation of responsibility requires regular review as the business grows and is especially important with regard to external organisations and other organisations with whom you are trading. The more remote the third party the more the need to arrange formal ways to review the implementation of security management between parties. Where an organisation is outsourcing part of the operations, it is essential to ensure that the contract adequately covers the requirements for the management of security.

The concept of "back to back" contract terms and conditions is not new. If you enter into a contract that requires a nominated degree of security management from your organisation, you had better make sure that your suppliers or outsourcing partners are not going to let you down.

An Introduction To Information, Network and Internet Security
Commentary It is important to ensure that the corporate organisation is positive about its delegation of security responsibility to areas where those responsibilities can be properly discharged. As yet very few organisations have appointed a security officer at Board level. The security profession is most readily recognised through the general administration office and usually centres on physical security through the use of uniformed guards and CCTV cameras. Consequently the board level responsibility is often heavily weighted in that direction. Many organisations will delegate physical security to an operational Director and computer or information security to the I.T. Director. In practice this splits the job and often the budget such that neither director can deliver the best security value for money to the organisation. This situation should be avoided wherever possible. As organisations move into e-commerce the need for a strong image of corporate information security is seen to be paramount. It is stressed that this clause is primarily about people rather than technology, and how they are organised to manage the security of information in their departments. As with most business processes this is a multi-level activity. The executive level corporate Information Security Policy will outline the broad objectives and the subordinate management levels of documentation will interpret that policy into specific rules. The resultant mix can often require a compromise where there are practical limits on the degree of control and auditing which can be achieved within the operational function. This could well result in similar policies being met in differing ways by different parts of the organisation with sets of rules each designed to fit best with the local working conditions. The key messages are to allocate responsibility and then to enable those staff by giving them proper authorisation and authority to discharge their responsibilities. This enabling process often involves the use of specialist fora or steering groups who are the guardians of the interpretation of corporate policy across the organisation. Organisations with limited resources should consider retaining external specialist advice especially where they anticipate the need for investigation into security breaches that might eventually lead to disciplinary action. This delegation of responsibility requires regular review as the business grows and is especially important with regard to external organisations and other organisations with whom you are trading. The more remote the third party the more the need to arrange formal ways to review the implementation of security management between parties. Where an organisation is outsourcing part of the operations, it is essential to ensure that the contract adequately covers the requirements for the management of security. The concept of "back to back" contract terms and conditions is not new. If you enter into a contract that requires a nominated degree of security management from your organisation, you had better make sure that your suppliers or outsourcing partners are not going to let you down.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security