S 2.202 Preparation of an IT Security Organisational Manual

Initiation responsibility: IT Security Management Team

Implementation responsibility: Head of Organisational Section

During the IT security process not only are the documents mentioned in the present safeguards produced but during the implementation phase additional rules covering either the entire organisation or particular jobs are developed. Procedural rules or instructions on actions to be taken are written, and these must be available to every employee as the basis for his actions or omissions at the workplace. These rules must be compiled and made available in a suitable form to each target group. Whereas documentation of the IT security process is an essential tool for the IT Security Management Team, the IT Security Organisational Manual serves as a set of guidelines for all staff affected by the IT security process. In practice, sections of these recommendations are used under names such as "PC Guidelines" or "IT User Guidelines". Different rules, which are geared towards the same key statements but also contain information on rights and duties which are specific to a given function, are needed by different target groups within the organisation. In this way sets of guidelines which specify tasks and responsibilities for different target groups are prepared. Such guidelines could be structured together with superordinate chapters in an IT Security Organisational Manual as shown below:

Additional controls:

• Are the key statements and rules on IT security documented?

• Are these documents available to all the staff affected?