Professional Documents
Culture Documents
Consultancy
A6 : Organization of Information Security
Executive
Committee
Chaired by the
Chief Executive
Officer
Audit
Committee
Chaired by
Head of Audit
Security
Committee
Chaired by
Chief Security
Officer CSO
Risk
Committee
Chaired by
Risk Manager
Local Security
Committees
One per
location
Information
Security
Manager
Security
Administration
Policy &
Compliance
Risk &
Contingency
Management
Security
Operations
Information
Asset Owners
(IAOs)
Site Security
Managers
Security
Guards
Facilities
Management
A.6.1.2
Segregation of
duties
A.6.1.3 Contact
with authorities
A.6.1.4 Contact
with special
interest groups
A.6.1.5
Information
security in project
management
and allocating
responsibility to
individuals company
should create
Organizational chart.
Identification of the
individual/individuals
responsible for security of
each information facility
Clear definition and
identification of assets and
associated security controls
for each information facility
Control:
Control-set out
the basics of
how
information
security should
be considered
as part of the
overall
framework of
the project
management
with
organization
creation of
mini-ISMS
within the
project to
ensure that
risks are
identified and
managed
ity
Mobile
Phones
Desktop
computers used
off-premises
Notebook,
palmtop
computers and
laptop
Regular
data
backups
for stored
sensitive
data
Physical
security
measures
Secure
communic
ation
methods
for
transmitte
d data
such as
Virtual
Private
Network
Updates
for
operating
system
and other
software
updating
Access
control
and
appropriat
e user
authentica
tion
(biometricbased)
Cryptograp
hic
methods
for
sensitive
data
Protective
software
such as
anti-virus
and others
Management Commitments
Visible support
and clear
direction for
information
security
initiatives which
includes
providing
appropriate
resources for
information
security
controls
Assurance of
formulation,
review and
approval of
appropriate
organizationwide
information
security policy;
Coordination of
information
security efforts
all over the
organization,
including
committee(s)
and designation
of information
security
officer(s)
Appropriate
management
controls over
new information
capabilities,
systems and
facilities
including the
planning for the
facilities
Reviews at
regular intervals
of the
effectiveness of
information
security policy,
including
updating of the
policy as
needed and
external review
as appropriate.
References
1. http://it.med.miami.edu/x2227.xml
2. http://it.med.miami.edu/x1771.xml
3. https://www.google.com/url?sa=t&rct=j&q=&
esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CC4QFjAA&u
rl=http%3A%2F%2Fwww.iso27001security.com
4. iFour Consultancys ISMS policy documentation
http://www.ifour-consultancy.com
5. http://
www.csoonline.com/article/2123120/it-audit/separation-of-duties-a
nd-it-security.html