S 2.1 Specification of responsibilities and of requirements for the use of IT

Initiation responsibility: Agency/company management

Implementation responsibility: Head of IT Section, Head of organisation

For the functional areas of "IT use" and "IT security", responsibilities as well as authorities must be specified.

For "IT use", the responsibility for substantive tasks and operational responsibility must be laid down. The person responsible for substantive tasks has to develop the specific requirements to be implemented in an IT procedure. On the other hand, operational responsibility covers the following tasks, inter alia:

• data acquisition

• work scheduling and preparation;

• data processing

• post-processing of data output;

• data media management and

• monitoring of procedural execution.

Overall regulations governing "IT security", as an aspect of IT use, must be laid down in a binding form. It is advisable to lay down regulations on:

• data backup

• keeping data archives,

• transport of data media

• data transmission

• destruction of data media

• documentation on IT procedures, software, IT configuration;

• use of passwords;

• entry rights

• access rights

• resources control

• resource management

• purchase and leasing of hardware and software;

• maintenance and repair work;

• software: acceptance and approval;

• software: application development;

• data privacy,

• protection against computer viruses;

• auditing

• emergeny precautions and

• approach in case of infringement of the security policy.

. Information regarding the above can be found in the following safeguards descriptions.

These regulations must be made known to the staff concerned in a suitable way (see S 3.2 Commitment of staff members to compliance with relevant laws, regulations and provisions). A written record of the announcement of these regulations is recommended. In addition, all regulations, in their current version, must be kept in a given place and be made available to those having a justified interest.

The existing regulations must be kept up to date so as to avoid misunderstanding, uncertain allocation of responsibilities, and inconsistencies.

Additional controls:

• Which provisions are in force?

• Are such regulations revised on a regular basis?

• How are the staff informed of these regulations?