Principle 3 - Assignment of Responsibility for Information Security
A key principle of any information security is the assigning of responsibility for your tasks associated with information security.
There will be tasks that you need to carry out to ensure that the systems are well managed, are effective and that there is appropriate protection against the loss of availability, confidentiality and integrity of the information. Therefore, you need to have a philosophy of holding people responsible for undertaking their tasks.
This responsibility goes hand-in-hand with two important aspects:
- Accountability. If those tasks aren’t performed by the responsible person(s) then they are held accountable for not following process.
- Authority. Each of the tasks will have an associated authority to have the power or right to give orders, make decisions, and enforce compliance.
One of the easiest ways to define responsibility is to document these in policies, procedures, work instructions or position descriptions.
Position Descriptions (PD) will be the best way for you to summarise people’s responsibilities and tasks. They bring multiple documents together to a single, easy-to-understand summary. Your staff can then just refer to their PD and instantly understand your organisation’s requirements for information security.
In the past, most position descriptions were created when someone started in a job and after that were never referred to again. They may have been looked at for a performance review. They may have been referred to during some disciplinary activity. Sometimes a Manager may have taken a cursory glance at the PD (that’s if they can find it) and then perhaps take a moment or two to see if the document is up-to-date. And in general, that’s about it.
This is not how PD’s should be viewed – they are a central part of your ISMS. They define what your employees do, how they do it, and who they do it with. PD’s are where authority and responsibility are clearly laid out. And because responsibilities, skill-sets, technology, and organisational structure are prone to change, you should regard PD’s as important, living documents.
You need to constantly update these PD’s (perhaps quarterly) in order to ensure latest technologies and changes are taken into account. All changes should be clearly communicated to your staff to ensure that they are always fully aware of what’s what.
Making sure people are held responsible for their tasks and actions is a key principle to keep in mind for your ISMS. It's something that you must constantly be alert for. This is particularly important for teams. If everyone is responsible then no one is responsible. People can hide in teams. You need to be "on-your-toes" to ensure that responsibility is well managed.
Learn More:
- Information Security - Principle 1 - Assignment of Responsibility for Information Security
- Information Security - Principle 2 - Awareness of the need for information security
- Information Security - Principle 4 - Incorporating management commitment and the interests of stakeholders
- Information Security - Principle 5 - Enhancing Societal Values
- Information Security - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk
- Information Security - Principle 7 - Security incorporated as an essential element of information networks and systems
- Information Security - Principle 8 - Active prevention and detection of information security incidents
- Information Security - Principle 9 - Ensuring a comprehensive approach to information security management
- Information Security - Principle 10 - Continual reassessment of information security and making of modifications as appropriate
