Information Technology Reference
In-Depth Information
9.1.3 Measures
As will be explained below, one has to distinguish between two categories of
measures:
Organisational and
Technical.
Both operate in concert and complement each other. Measures can be of a
general nature, which constitute a security environment, which broadly controls
security loopholes. These include directives, organisational structures and technical
security installations at hardware and software level. Additionally quite a number of
specific measures exist, which cover specific security risks and are relevant for
specific cases. The required processes for them to work have to be implemented.
9.2 Scope
The scope of IT security is limited by two criteria:
Organisation
Time.
The scope concerning organisation refers to the organisational units in a com-
pany, for which the security system and its documentation are relevant. Normally
all units are included. Exceptions may be outsourced units, subsidiaries or affiliated
companies. In times of transition after a merger for example the possibility exists
that certain departments, which may be using different IT systems, are controlled in
a different fashion. These exceptions have to be documented accordingly.
Timely restrictions of the scope refer to version levels. Every document has a
version number referring to the main document. The validity statement refers to the
actual version, exceptionally sometimes also to sections of past versions. In any
case: the latest update is relevant. This comprises statements as to how individual
documents are processed. Changes are to be recorded in a version history up to the
final release.
9.2.1 Normative References
The whole subject of IT security is also influence by national standards and
directives, some of which will be briefly mentioned. Detailed information can be
obtained from the original documents:
