For the second entry to our ISO 27001:2013 series we discuss the Internal Organization category in the Organization of information security clause. The category is discussing how your organizations security should be organized, who should do what and who is responsible for what. In many enterprise organizations this can be defined as a RACI chart but this is something all organisations can benefit from. People need to know who’s responsibility it is to do what tasks and who is accountable that they are completed correctly, without this there is always a risk that gaps will appear and task will not be done.
6.1.1. INFORMATION SECURITY ROLES AND RESPONSIBILITIES.
To ensure any tasks discussed in your security policies are fulfilled it is important that roles and responsibilities are designated. This gives accountability and responsibility to ensure duties are carried out. This ties into the previous sections where we discussed policies and the roles and responsibilities should be included in those policies. For example who is responsible for organizing the response to incidents? Who reviews systems to ensure they are compliant with GDPR? The list of roles and responsibilities can get very long but it is essential that every employee knows what is expected of them.
6.1.2. SEGREGATION OF DUTIES
Separation of duties is one of the most well-known and important IT security tenets. It is a key concept to the CISSP, CISA, Security+ and a variety of other certification and even regulations and laws such as Sarbanes-Oxley act in the United States of America. The control deals with the risks associated with one person having too much power. To give an example of a risk this control deals with; if an employee can both write and sign checks he can easily write out a check to himself and sign it. This is an example of where there is no control in place for the separation of duties. If we were to implement this control in this situation that employee would be able to write a check but would need another employee to sign it. Similar risks can occur frequently in an organization and can impact the organization in a variety of ways, and not just the financial example given. To give a security example many data centers have dual controls that prevent a single person gaining physical access to a server, with two people needing to be present before opening the cage, possibly having two separate locks to open.
Having controls in place to enforce a separation of duties and having this in policy documents can give us protection and mitigate these types of risks.
6.1.3. CONTACT WITH AUTHORITIES.
A breach will, eventually, happen to your organisation, as risk can never be completely eliminated. The organization needs to be prepared for such an event and part of this is having procedures in place with contact information that instructs the staff member in how to contact the relevant authorities. These procedures should contain contact information for who to contact for the relevant breaches, such as contact information for the Data Protection Commissioner for Personally Identifiable Information being stolen, and it should be clearly stated when to contact those authorities. This document should be readily available and staff should be made aware of it.
6.1.4. CONTACT WITH SPECIAL INTEREST GROUPS.
As security is always changing it is important that your specialist staff keep in touch with updates and developments. This can be achieved in many ways such as requiring staff with certifications should maintain their membership with the accrediting bodies, keep up with the required CEU/fees for their certifications, and to keep in contact with the local infosec community. Encouraging staff to attend industry events like OWASP talks, conventions such as DEFCON and other events to keep strong networks can give your organization a deeper well of security knowledge to draw from. Likewise, encouraging staff to keep up to date using news sites, blogs and other resources is also good practice for this end in a time effective and budget friendly way.
This not only gives your staff an up-to-date insight into new and developing threats but also allows them to draw on the community, gain mentors, exchange information and grow in their understanding of best practices to better prepare you for defending your organization and responding to threats.
6.1.5. INFORMATION SECURITY IN PROJECT MANAGEMENT.
Whenever we are planning a new project, whether its infrastructure, application, or other, we should always include security into our earliest stages of planning, design, and management. Too often security is seen as some after thought, tacked on at the end; If its considered at all! By having a project managers look at security from the very beginning of the project security risks and issues can be identified at the earliest stage of the project, when it is cheapest and easiest to deal with.
While we will look for security problems in the project itself, we should also look at new attack vectors that the project being implemented could introduce and the potential risks that could be generated from the result. As described in 6.1.1 defined roles and responsibilities for information security should be established to ensure all staff know their role for a secure project throughout its lifespan.