S 2.201 Documentation of the IT security process

Initiation responsibility: IT Security Management Team

Implementation responsibility: IT Security Officer

The individual phases of the IT security process and the results of the process should be documented. Such documentation is important to maintaining IT security and hence to ensuring that the process continues to develop in an efficient manner. It facilitates identification of the causes of problems and operations which have gone wrong and their elimination. It is important here that not only should the latest version of the documents concerned be easy to get hold of, but central archiving of superseded versions should also be undertaken. This will ensure continuous traceability of developments in the area of IT security, so that it is clear what decisions have been made.

Documentation of the IT security process should as a minimum extend to the following documents:

• Information Security Policy,

• schedules of IT assets (including connectivity plans etc),

• IT security concept(s),

• plans for implementation of IT security measures.

• procedures for the proper and secure use of IT facilities,

• documentation of reviews (checklists, interview notes etc.),

• minutes of meetings and decisions made by the IT Security Management Team,

• management reports on IT security,

• IT security training plans and

• reports on security-relevant incidents.

It is the task of the IT Security Officer to keep documentation up-to-date at all times. He should also ensure that controlled access to the documentation is possible. Here he must ensure that information can be passed to authorised persons rapidly, while at the same time safeguarding the confidentiality of details internal to the organisation.

Additional controls:

• Do procedures aimed at safeguarding the confidentiality of documentation exist?

• How up-to-date are existing documents?