S 2.196 Implementation of the IT security concept in accordance with an implementation plan

Initiation responsibility: IT Security Management Team

Implementation responsibility: Head of IT Section, IT Security Management Team

Once the IT security concept has been prepared, it must be put into practice. A distinction must be made here between a conceptual design phase and the actual implementation.

During the conceptual design phase the basic suitability of every safeguard recommended for use on existing IT assets must be checked and the recommendations regarding safeguards must be fleshed out so that they can be used to generate organisation-specific rules. The IT security concept must therefore specify not only initiation responsibilities but also responsibilities for the implementation of the safeguards.

Initiation responsibility covers performing the groundwork necessary for effective implementation and also specification of objectives. This presupposes that the responsible person has the necessary resources available to him by right.

Initiation generally includes:

• specification of objectives together with a description of the expected planned state or the expected behaviour,

• the allocation of resources (working time, financial resources) and

• a realistic time target.

Implementation responsibility may be broken down into the formulation of rules, creation of aids, design of processes and the provision of information to the staff concerned. Strictly speaking, implementation terminates when a safeguard is applied in practice. Responsibility for implementation and application can be divided between several people. Implementation includes:

• the design of technical or organisational sequences of operations at the workplace,

• modification of task descriptions,

• the provision of instructions and information for security awareness promotion measures and training courses, and

• the provision of aids and implementation of the safeguard at the workplace.

Depending on the range and type of safeguard (technical or organisational), it may not always be possible to draw a clear-cut line between initiation and implementation. The implementation of safeguards frequently requires co-operation between several different positions. Thus, for example, persons with system responsibility are needed to procure, install and maintain technical facilities - for example, in the establishment of security interfaces - while on the other hand persons with organisational responsibility are needed to create and document the appropriate rules regarding their use.

A structured implementation plan is essential if the IT security measures identified are to be properly implemented. The IT Security Management Team is responsible for drawing up the implementation plan. Depending on their type and scope, the individual safeguards are implemented either by the user of the IT system concerned or a responsible IT adviser. Implementation of the safeguards must be supported by the IT Security Management Team. In particular, every employee must know in advance to whom he should turn in the event of any problems occurring.

The following should be documented in an implementation plan:

• name of the person responsible for implementation of a safeguard,

• priority of the safeguard to be implemented,

• statement of the time by which the safeguard must have been implemented,

• person to whom implementation of the safeguard must be reported, once complete,

• provision of resources (manpower, resource requirements, space requirements, costs).

It is a good idea to pave the way for or accompany implementation of the safeguards by providing appropriate training for the IT users and raising their security awareness (see safeguards S 2.197 Drawing up a training concept for IT security and S 2.198 Making staff aware of IT security issues).

Additional controls:

• Do the recommendations regarding security measures contained in the IT security concept define clearly who is responsible for initiation and implementation?

• Is there an implementation plan?

• Are reviews performed and documented?

• Is Management informed of the results?

• Are the rules for implementation of IT security measures documented?