A.6 Organization of Information Security

iFour
Consultancy
A6 : Organization of Information Security
A.6 Organization of Information

Security
The administrative structure of the organization and its relationships
with external parties must promote effective management of all aspects

of information security.
Includes maintaining the security of the organization's information, its
processing facilities, and any information or facilities that are accessed,
processed, communicated to or managed 1.
by Internal
externalOrganization
parties.
2.
Mobile Devices and

Teleworking
Software Development Companies in Indi
A.6.1 Internal Organization

Objective:
To
establish
a
management
framework
to
initiate
and
control
the
implementation and operation
of information security within
the organization.
NOTE: This is a generic structure chart. One
should replace it by one describing a particular
Organizations actual management structure
for information security.
Executive
Committee
Chaired by the
Chief Executive
Officer
Audit
Committee
Chaired by
Head of Audit
Security
Committee
Chaired by
Chief Security
Officer CSO
Risk
Committee
Chaired by
Risk Manager
Local Security
Committees
One per
location
Information
Security
Manager
Security
Administration
Policy &
Compliance
Risk &
Contingency
Management
Security
Operations
Information
Asset Owners
(IAOs)
Site Security
Managers
Security
Guards
Facilities
Management
A.6.1 Internal Organization (Conti)

A.6.1.1
Information
security roles and
responsibilities
A.6.1.2
Segregation of
duties
A.6.1.3 Contact
with authorities
A.6.1.4 Contact
with special
interest groups
A.6.1.5
Information
security in project
management
A.6.1.1 Information Security Roles and

Responsibilities
Control:
All
information
security
responsibilities shall be defined and
allocated.
Note: Before defining
and allocating
responsibility to
individuals company
should create
Organizational chart.
Identification of the
individual/individuals
responsible for security of
each information facility
Clear definition and
identification of assets and
associated security controls
for each information facility
A.6.1.2 Segregation of Duties

Control: Conflicting duties and areas of responsibility shall be
segregated to reduce opportunities for unauthorized or
unintentional modification or misuse of the organizations
assets.
Two Primary Objectives:
The first is the prevention of conflict of interest, the

appearance of conflict of interest, wrongful acts, fraud,
abuse and errors.
The second is the detection of control failures that include
security breaches, information theft, and circumvention of
security controls.
A.6.1.3 Contact with Authorities

Control: Appropriate contacts with
relevant authorities shall be maintained.
Following points could be included:
Specification of the manner and

timing in which breaches shall be
communicated to external
authorities so as to ensure
appropriate reporting
Development of procedures,
policies and contact lists that
specify by whom and when
external authorities should be
contacted
A.6.1.4 Contact with Special Interest

Groups
Control:
Appropriate contacts with special

interest groups or other specialist security
forums and professional associations shall be
maintained.
A.6.1.5 Information Security in Project

Management
Control: Information security shall be addressed in project
management, regardless of the type of the project.
Control-set out
the basics of
how
information
security should
be considered
as part of the
overall
framework of
the project
management
with
organization
creation of
mini-ISMS
within the
project to
ensure that
risks are
identified and
managed
A.6.2 Mobile Devices and Teleworking

Objective: To ensure the security of
teleworking and use of mobile devices.
Applicabil
ity
Mobile
Phones
Media and portable

storage devices
Desktop
computers used
off-premises
Notebook,
palmtop
computers and
laptop
A.6.2.1 Mobile Device Policy

Control: A policy and supporting security measures shall be
adopted to manage the risks introduced by using mobile devices.
Regular
data
backups
for stored
sensitive
data
Physical
security
measures
Secure
communic
ation
methods
for
transmitte
d data
such as
Virtual
Private
Network
Updates
for
operating
system
and other
software
updating
Access
control
and
appropriat
e user
authentica
tion
(biometricbased)
Cryptograp
hic
methods
for
sensitive
data
Protective
software
such as
anti-virus
and others
A.6.2.2 Teleworking Policy

Control: A policy and supporting security measures shall
be implemented to protect information accessed,
processed or stored at teleworking sites
Environmental and physical security measures
Policies concerning safety of private property used at the site
Appropriate user access control and authentication
Security measures for wireless and wired network configurations at
the site
Cryptographic techniques for communications from/to the site and
data storage
Data backup at regular intervals and security measures for those backup
copies
Management Commitments
Visible support
and clear
direction for
information
security
initiatives which
includes
providing
appropriate
resources for
information
security
controls
Assurance of
formulation,
review and
approval of
appropriate
organizationwide
information
security policy;
Coordination of
information
security efforts
all over the
organization,
including
committee(s)
and designation
of information
security
officer(s)
Appropriate
management
controls over
new information
capabilities,
systems and
facilities
including the
planning for the
facilities
Reviews at
regular intervals
of the
effectiveness of
information
security policy,
including
updating of the
policy as
needed and
external review
as appropriate.
References
1. http://it.med.miami.edu/x2227.xml
2. http://it.med.miami.edu/x1771.xml
3. https://www.google.com/url?sa=t&rct=j&q=&
esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CC4QFjAA&u
rl=http%3A%2F%2Fwww.iso27001security.com
4. iFour Consultancys ISMS policy documentation
http://www.ifour-consultancy.com
5. http://
www.csoonline.com/article/2123120/it-audit/separation-of-duties-a
nd-it-security.html

A.6 Organization of Information Security

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A.6 Organization of Information Security

Uploaded by

Copyright:

Available Formats

iFour

A.6 Organization of Information

The administrative structure of the organization and its relationships

with external parties must promote effective management of all aspects

Mobile Devices and

Software Development Companies in Indi

A.6.1 Internal Organization

Software Development Companies in Indi

A.6.1 Internal Organization (Conti)

Software Development Companies in Indi

A.6.1.1 Information Security Roles and

Note: Before defining

Software Development Companies in Indi

A.6.1.2 Segregation of Duties

The first is the prevention of conflict of interest, the

Software Development Companies in Indi

A.6.1.3 Contact with Authorities

Specification of the manner and

Software Development Companies in Indi

A.6.1.4 Contact with Special Interest

Appropriate contacts with special

A.6.1.5 Information Security in Project

Software Development Companies in Indi

A.6.2 Mobile Devices and Teleworking

Media and portable

Software Development Companies in Indi

A.6.2.1 Mobile Device Policy

Software Development Companies in Indi

A.6.2.2 Teleworking Policy

Software Development Companies in Indi

Software Development Companies in Indi

Software Development Companies in Indi

You might also like