|
Initiation responsibility: Agency/company management
Implementation responsibility: Head of IT Section; Head of Organisational Section; IT Security Management
The functions to be performed by the agency/company as regards IT uses must be laid down. Here, a distinction must be made between two levels:
The next step is to lay down and justify separation of functions, i.e. functions which are not compatible with each other and thus must not be performed by one person at the same time. The relevant requirements may be implied by the tasks themselves or by legal provisions. Examples include:
This shows, in particular, that in most cases operational functions are not compatible with controlling functions.
After the separation of functions to be observed has been laid down, the functions can be assigned to persons.
The provisions laid down in this context must be documented and up-dated in case of changes being made to IT uses. If such assignment do result in incompatible functions having to be performed by one person, this fact must be explicitly mentioned in the relevant documentation on the separation of functions.
Additional controls:
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
July 1999 |