S 2.200 Preparation of management reports on IT security

Initiation responsibility: IT Security Management Team

Implementation responsibility: IT Security Management Team

The tasks of the IT Security Management Team include supporting Management in the execution of its overall responsibility for IT security. A major tool for use here is a report on the current IT security situation. The aim of such a paper should be to provide Management with the information it needs to make the decisions it has to make.

A basic distinction should be made here between two different forms of management report.

1. Regular management reports

The effect of submitting "IT security" management reports as regularly as possible is to ensure that this subject is kept fresh in the minds of Management. In this way, management reports serve to some extent as a tool for raising the IT security awareness of those in positions of overall responsibility. For this reason, such a report should be prepared at least once a year.

The "IT Security" management report should cover the following areas:

• the extent to which the requirements specified in the organisation's IT security concept have already been addressed;

• areas in which security weaknesses, and hence residual risks, remain;

• the extent to which the IT security level matches the organisation's security requirements and its exposure to threats;

• whether the activities performed in pursuit of IT security have been a success;

• whether the IT security measures have proved a suitable means of achieving the IT security objectives.

The report should also consider any further developments expected in organisation-wide IT security.

2. Event-triggered management reports

As well as regular management reports on IT security, it may also be necessary to prepare event-triggered management reports if IT security problems occur unexpectedly or because of risks associated with new technical developments. These are needed above all when it turns out that these problems cannot be resolved "at shopfloor level" because, for example, extra material resources are needed over and above those approved or extensive staff-related rules need to be modified or drawn up. IT security incidents such as global computer virus attacks (e.g. Melissa or Loveletter e-mails) are constantly hitting the mass media headlines. It has proved appropriate to also prepare management reports in these instances in order to show the extent to which this organisation has been affected by these security incidents.

When writing management reports it should be borne in mind that the people who will be reading them are generally not technical experts. Accordingly, the text should be concise and easy to understand. The author should concentrate on the major points, i.e. in particular on existing vulnerabilities but also on successes achieved, and not attempt to convey a "complete" picture.

Management reports - especially those prepared in response to particular events -should always end with a list of recommended actions, clearly prioritised, together with a realistic assessment of the expected cost of implementation of each of these actions. This will ensure that the decisions needed can be obtained from Management without undue delay.

Wherever possible, the "IT Security" management report should not simply be provided to Management in writing but should also be presented in person by a member of the IT Security Management Team. Personal delivery of the report in this way allows special emphasis to be placed on important points, especially on any existing or anticipated security defects. At the same time, the person responsible for IT security making the presentation is directly available for further questions and also to provide fuller explanations, and experience shows that this in turn speeds up the decision process. At the same time, such personal contact offers the opportunity to establish a "small official channel", whose existence could prove extremely useful in an emergency. Instead of or in addition to personal presentation of the management report, another option which should be considered is to make one senior manager who has the appropriate technical background and interest available as a point of contact. Such a course of action can also prepare the way for Management decisions and eliminate problems in advance.

As part of the ongoing IT security process, all the "IT security" management reports, if appropriate annotated with the decisions made, should be archived in a systematic fashion together with the other IT security-relevant documents and be made readily accessible to all those in positions of responsibility for security on demand (see S 2.201 Documentation of the IT security process).

As the IT security management reports will generally contain sensitive information about existing security loopholes and residual risks, they must be kept confidential. Reliable means must be adopted to ensure that they are not disclosed to unauthorised person.

Additional controls:

• Are the "IT Security" management reports archived together with other documents relating to the IT security process?

• Are there any "suitable" senior managers in the organisation with whom the management report can be agreed in advance so as to prepare the way for its submission?