This note aims to explain and provide basic understandings of internal and external security requirements. Additionally, the role of a Security Officer is described, and how they are managing and reviewing dependencies of cyber security.
Requirements
There are external and internal security requirements, which means that the security and obligations of your organization are dependent on surrounded suppliers, departments, regulations, laws, and processes.
External requirements can be governments and industry associations. They are providing you guidelines that you are required to follow and ensure that all your already existing internal regulations comply with newly enacted laws and regulations.
It is required to constantly evaluate and review the situation of an organization. Undoubtedly, one simply cannot manage all of the regulations alone. Security requirements assessments are usually performed as a team that needs to be managed by a Cyber Security Officer.
But how are security requirements determined? There are three steps you can follow to do so:
- Identify field or business areas with potential security requirements
- Assess the external and internal security requirements by the affected fields and business areas
- Define extending requirements with responsible parties
Organize your Cyber Secutity
Cyber security is doesn't bring any profits which are often a problem. Certain implementations can cost a lot of money and you won't really witness much of a return of investment. Nonetheless, it needs to be done and more importantly, it needs to be maintained. If you are in cyber security you won't get past the term ISMS which stands for information security and management system. It is a cost intense but also an effective tool for, as the name suggests, managing information. This leads us to the question "How do we effectively manage and maintain an ISMS?"
The first step is to determine laws, regulations, and frameworks that are relevant to your organization. Document and maintain internal regulations and instructions. Keep in mind that not only regulations and instructions are a requirement to be documented. Furthermore, ensure the structure, positions, and the corresponding scope of duties, competences, and responsibilities are properly documented.
If this is the case you now document processes and procedures of IT-Security controlling, security strategy, concepts, and measures.
Lastly provide information to IT-Security in projects and emergency precautions.
To expand an ISMS you want to use an IT-Security forum. It has a certain set of tasks to help you with your plans.
It adopts and reviews the IT-Security strategy that has been built by your organization. Also, it specifies the objectives of security and their responsibilities in the form of policies and instructions. An IT-Security forum allows you insights into security breaches with analysis and corresponding reports.
As your IT-Security forum is now ready important decisions are ideally now made by the management board and the IT Security Officer.
Roles in an organization
The work of a Cyber Security Officer depends on the size of an Organization. In a small enterprise, it just might be a part-time position whereas in a medium to large-scale enterprise it could be a full-time position acting as an independent organ of the management board. The Cyber Security Officer works and protects internal business information. But what about personal data that are under the regulation of the DSG?
This is the responsibility of the Data Protection Officer which manages all the regulations and makes sure the organization's use of data is compliant with the DSG. This role is similar to the Cyber Security Officers' but he is exclusively working personal data.
None of both are always able to correctly estimate and assess risks. This is why the support of a member of an organizational unit is required. There are the "responsibles for risk" and will be determined by the Cyber Security Officer.
There is also the emergency response team which consists of the business manager, Cyber Security Officer, a member of the management board, and a representative of the affected organization unit. They use an RMS (risk management system) to assess the risks and act correspondingly. It might be said that an RMS is often included in an ISMS.
Well, I hope this note covers this topic as short and informative as possible. The key takeaways are internal and external requirements and the cyber security roles and groups in an organization. The IKS, ISMS, and RMS should all be covered in this note but are too big too quickly summarize it. Sooo.... It will be a separate article.
Comments