|
|
Initiation responsibility: Agency/company management, Head of IT Section, IT Security Management
Implementation responsibility: Technical managers, Administrators, employees
To achieve an extensive level of overall security it is necessary for everyone in the organisation to be involved in implementing the necessary IT security measures. For all information, applications and IT components, it should therefore be specified who is responsible for them and their security. Those responsible should always be specific persons rather than abstract groups in order that it is possible to see clearly at any time who is responsible. In the case of more complex information, applications and IT components all those responsible should be specified by name.
Conversely, all staff should know what information, applications and IT components they are responsible for and what exactly their responsibilities entail.
Every employee is responsible for anything in his area of influence unless explicitly directed otherwise. For example, Management is responsible for all basic decisions regarding the implementation of a new application, the head of the IT Section and IT Security Management are responsible for drawing up the security requirements, the Administrators are responsible for implementing them correctly and the users are responsible for handling the associated information, applications and systems with due care.
Technical managers, as the "owners" of information and applications, must ensure that
Technical managers must decide together with IT Security Management how to deal with any residual risk.
| © Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: July 2001 |