Information Technology Reference
In-Depth Information
security processes. When talking about IT security management it is understood
that the whole complex of IT and communication security is meant.
IT security is achieved by a number of conceptual and organisational measures
as well as by necessary technical preconditions, which are essential to reach defined
security objectives. These are the areas of concern:
IT processes
Computer systems
Hardware
Software
Communication installations
Data and
Documentation.
Security and Safety Engineering is the platform, on which technical precondi-
tions for IT security can be created. The requirements can be derived from security
criteria specific to a company, determined by the hierarchy after consulting with
security experts. Among them are such classical criteria as
Data integrity
Confidentiality etc.
together with for example availability and authenticity. If a company deploys
wireless communication networks, these criteria will be different from those for
pure LAN applications. The main basis at the top level should be a mutually agreed
and communicated security policy. Security policy should be positioned as part of
the company
s guiding principles, and should be furnished with the necessary
competences at top management level.
On the basis of these definitions documents structured in hierarchical order are
drafted on the various execution levels, transforming these guiding principles into
directives to be filled with life.
'
9.3.2 Security Organisation
As a matter of course all employees and therefore all members of a project team have
to be briefed about all valid security directives in a company. This may happen in the
instant of account provisioning by transmitting this information with other account
instructions. In some cases, such as WLAN operation, the person in question should
receive the pertinent instructions. Instructing administrators should be obligatory in
any case, since these persons have access to sensitive company and configuration data.
Security requirements for administrators normally exceed those of common users.
After successful training, instruction and receiving the relevant security docu-
mentation every employee has to acknowledge by his signature on a special form
that he has been informed, that he agrees with the directive and will respect it. The
signed acknowledgement has to be archived by the IT security organisation.
