Information Technology Reference
In-Depth Information
Table 9.1 Checklist IT security
Does an IT security management exist?
IT security management deals with all security
aspects concerning implementation and opera-
tion of IT installations
Have the concerns of IT security management
been documented?
Pre-condition for an effective IT security man-
agement is the relevant documentation
Are current IT standards taken into account
with respect to security management?
ISO/IEC 13335, 17799, 27001
Have IT security criteria been documented?
Security is classified according to such criteria
as confidentiality, availability, integrity etc.
Will the participants of IT security trainings
acknowledge their participation by signature?
The participation in security trainings should be
documented in the interest of all parties
concerned
Is the adherence to security directives moni-
tored regularly?
The monitoring of the adherence to security
directives should follow a dedicated action plan
Table
9.1
recapitulates, which are the strategic preconditions to constitute an IT
security management.
9.3.3 Approval Process
Organisational procedures have to be introduced to secure the approval of different
services or objects, including:
Allocation of accounts
Access authorisation to applications and
Control over terminal devices.
Normally three instances are concerned with this process:
Applicant
Supervisor and
Clearing officer.
The transaction has to be documented and downstream organisational units have
to be informed (controlling, procurement etc.). Once the applicant leaves the
organisation all authorizations become invalid and have to be withdrawn.
9.3.4 Confidentiality
Another important transaction to improve the security of an organisation is the
commitment to confidentiality. Generally such a commitment is governed by the
work contract so that no separate documents have to be drafted. Furthermore these
regulations are still valid for the time after a person has left an organisation.
