You are on page 1of 14

iFour

Consultancy
A6 : Organization of Information Security

A.6 Organization of Information


Security

The administrative structure of the organization and its relationships

with external parties must promote effective management of all aspects


of information security.
Includes maintaining the security of the organization's information, its
processing facilities, and any information or facilities that are accessed,
processed, communicated to or managed 1.
by Internal
externalOrganization
parties.
2.

Mobile Devices and


Teleworking

Software Development Companies in Indi

A.6.1 Internal Organization


Objective:
To
establish
a
management
framework
to
initiate
and
control
the
implementation and operation
of information security within
the organization.
NOTE: This is a generic structure chart. One
should replace it by one describing a particular
Organizations actual management structure
for information security.

Executive
Committee
Chaired by the
Chief Executive
Officer
Audit
Committee
Chaired by
Head of Audit

Security
Committee
Chaired by
Chief Security
Officer CSO

Risk
Committee
Chaired by
Risk Manager

Local Security
Committees
One per
location

Information
Security
Manager

Security
Administration

Policy &
Compliance

Risk &
Contingency
Management

Security
Operations

Information
Asset Owners
(IAOs)

Site Security
Managers

Security
Guards

Facilities
Management

Software Development Companies in Indi

A.6.1 Internal Organization (Conti)


A.6.1.1
Information
security roles and
responsibilities

A.6.1.2
Segregation of
duties

A.6.1.3 Contact
with authorities

A.6.1.4 Contact
with special
interest groups

A.6.1.5
Information
security in project
management

Software Development Companies in Indi

A.6.1.1 Information Security Roles and


Responsibilities
Control:
All
information
security
responsibilities shall be defined and
allocated.

Note: Before defining

and allocating
responsibility to
individuals company
should create
Organizational chart.

Identification of the
individual/individuals
responsible for security of
each information facility
Clear definition and
identification of assets and
associated security controls
for each information facility

Software Development Companies in Indi

A.6.1.2 Segregation of Duties


Control: Conflicting duties and areas of responsibility shall be
segregated to reduce opportunities for unauthorized or
unintentional modification or misuse of the organizations
assets.
Two Primary Objectives:

The first is the prevention of conflict of interest, the


appearance of conflict of interest, wrongful acts, fraud,
abuse and errors.
The second is the detection of control failures that include
security breaches, information theft, and circumvention of
security controls.

Software Development Companies in Indi

A.6.1.3 Contact with Authorities


Control: Appropriate contacts with
relevant authorities shall be maintained.
Following points could be included:

Specification of the manner and


timing in which breaches shall be
communicated to external
authorities so as to ensure
appropriate reporting
Development of procedures,
policies and contact lists that
specify by whom and when
external authorities should be
contacted

Software Development Companies in Indi

A.6.1.4 Contact with Special Interest


Groups

Control:

Appropriate contacts with special


interest groups or other specialist security
forums and professional associations shall be
Software Development Companies in Indi
maintained.

A.6.1.5 Information Security in Project


Management
Control: Information security shall be addressed in project
management, regardless of the type of the project.

Control-set out
the basics of
how
information
security should
be considered
as part of the
overall
framework of
the project
management
with
organization

creation of
mini-ISMS
within the
project to
ensure that
risks are
identified and
managed

Software Development Companies in Indi

A.6.2 Mobile Devices and Teleworking


Objective: To ensure the security of
teleworking and use of mobile devices.
Applicabil

ity

Mobile
Phones

Media and portable


storage devices

Desktop
computers used
off-premises

Notebook,
palmtop
computers and
laptop

Software Development Companies in Indi

A.6.2.1 Mobile Device Policy


Control: A policy and supporting security measures shall be
adopted to manage the risks introduced by using mobile devices.

Regular
data
backups
for stored
sensitive
data

Physical
security
measures

Secure
communic
ation
methods
for
transmitte
d data
such as
Virtual
Private
Network

Updates
for
operating
system
and other
software
updating

Access
control
and
appropriat
e user
authentica
tion
(biometricbased)

Cryptograp
hic
methods
for
sensitive
data

Protective
software
such as
anti-virus
and others

Software Development Companies in Indi

A.6.2.2 Teleworking Policy


Control: A policy and supporting security measures shall
be implemented to protect information accessed,
processed or stored at teleworking sites
Environmental and physical security measures
Policies concerning safety of private property used at the site
Appropriate user access control and authentication
Security measures for wireless and wired network configurations at
the site
Cryptographic techniques for communications from/to the site and
data storage
Data backup at regular intervals and security measures for those backup
copies

Software Development Companies in Indi

Management Commitments

Visible support
and clear
direction for
information
security
initiatives which
includes
providing
appropriate
resources for
information
security
controls

Assurance of
formulation,
review and
approval of
appropriate
organizationwide
information
security policy;

Coordination of
information
security efforts
all over the
organization,
including
committee(s)
and designation
of information
security
officer(s)

Appropriate
management
controls over
new information
capabilities,
systems and
facilities
including the
planning for the
facilities

Reviews at
regular intervals
of the
effectiveness of
information
security policy,
including
updating of the
policy as
needed and
external review
as appropriate.

Software Development Companies in Indi

References

1. http://it.med.miami.edu/x2227.xml
2. http://it.med.miami.edu/x1771.xml
3. https://www.google.com/url?sa=t&rct=j&q=&

esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0CC4QFjAA&u
rl=http%3A%2F%2Fwww.iso27001security.com
4. iFour Consultancys ISMS policy documentation
http://www.ifour-consultancy.com
5. http://
www.csoonline.com/article/2123120/it-audit/separation-of-duties-a
nd-it-security.html

Software Development Companies in Indi