Organization of information security

Objective • The organization’s administrative structure and its relationships with external parties should promote effective management of all aspects of information security.  This includes maintaining the security of the organization's information, its information processing facilities, and any information or facilities that are accessed, processed, communicated to or managed by external parties.

Management commitment • Management at all levels should actively support security within the organization with clear direction, demonstrated commitment, and explicit acknowledgement of information security responsibilities.  This could include:

  • clear direction and visible support for information security initiatives, including providing appropriate resources for information security controls;
  • coordination of information security efforts across the organization, including designation of information security officer(s) and committee(s);
  • assuring formulation, review and approval of appropriate organization-wide information security policy;
  • periodic reviews of the effectiveness of information security policy, including external review as appropriate, and updating of the policy as needed; and
  • appropriate management controls over new information facilities, systems and capabilities, including the planning for such facilities.

Allocation of responsibilities • All information security responsibilities should be clearly defined.  This could include:

  • identification and clear definition of assets and associated security controls for each information facility; and
  • identification of the individual or individuals responsible for security for each information facility.

Coordination of efforts • Information security activities should be coordinated by representatives from different parts of the organization with relevant security roles and job functions.  This could include:

  • ensuring that all information security controls are executed in compliance with the organization’s information privacy and security policies;
  • coordinated efforts to assess the adequacy of implemented controls, and to recommend additional measures based on the assessments;
  • proposing refinements to assessment methodologies and processes (e.g., risk assessment) subject to management approval;
  • evaluating information security incident management data from across the organization, reporting these data to appropriate management, and recommending appropriate action based on the data;
  • identifying significant threat and vulnerability changes, both internal and external, and recommending appropriate action; and
  • promoting security awareness and training for all persons affiliated with the organization.

Authorization processes • A management authorization process for new information processing facilities and capabilities, or for significant changes to existing facilities and capabilities, should be defined and implemented.  This could include:

  • formal approval of purpose and use for each new system, or for existing systems that are materially changed;
  • certification that hardware/software used by the new (or changed existing) system meets organizational standards;
  • approval of any non-standard functions, locations, or users, including approval of any personal, privately-owned or extra-organizational hardware/software/facilities to be used; and
  • certification that the new (or changed existing) system complies with all applicable security controls mandated by the security policy.

Confidentiality and non-disclosure agreements • Requirements for confidentiality and non-disclosure agreements (C/NDA) should reflect the organization's needs for protection of information.  Such agreements should be periodically reviewed.  This could include:

  • definition of the information, information type(s) or information system(s) to be protected;
  • C/NDA agreements for that information rendered in clear, legally-enforceable terms, that accord with all relevant statutory-regulatory and private certificatory authorities;
  • responsibilities of signatories, including limitations on use or disclosure of information and adherence to security controls;
  • terms of ownership of information, including any trade secret or intellectual property requirements;
  • expected duration of the agreement;
  • required actions when the agreement is terminated, including requirements to return or destroy information;
  • right to monitor compliance with the agreement;
  • processes for reporting of and notice of breaches; and
  • expected actions to be taken in the event of a breach.

Contacts with authorities • Appropriate contacts with external authorities should be maintained.  This could include:

  • development of policies, procedures and contact lists that specify when and by whom external authorities should be contacted;
  • specification of the timing and manner in which breaches shall be communicated to external authorities, to ensure appropriate reporting.

Contacts with special interest groups • Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained.

Contacts and contracts with external parties • Agreements with third parties that involve accessing, processing, communicating or managing the organization's information or information processing facilities should cover all relevant security requirements.  Content of such agreements could include:

  • the applicable information security policy or policies of all contracting organizations;
    necessary controls to ensure compliance with these policies;
  • requirements for user and system administrator awareness and training efforts;
  • responsibilities related to hardware/software selection and configuration;
  • a clear and specific process of change management;
  • a clear and specific process of incident management, including requirements for reporting, notification and investigation;
  • problem resolution processes, including escalation steps;
  • overall reporting structure, report contents and frequency, and reporting formats;
  • levels of acceptable/unacceptable service and service continuity;
  • definitions of verifiable performance criteria;
  • rights to monitor and audit activities;
  • intellectual property rights and ownership of data;
  • policies regarding subcontractors; and
  • conditions for renegotiation/termination of the agreements.

Contacts and contracts with customers • All identified security requirements should be addressed before giving customers access to the organization's information or assets.  Control considerations are similar to those for other external parties.

Independent review of information security • The organization's approach to managing information security and its implementation should be reviewed independently at planned intervals, and when there are significant changes to internal structure or the external environment.

SOURCES: ISO-27001/27002:2005 sects 6.1.1 – 6.1.8, 6.2.1 – 6.2.3.