Information security measurement roles and responsibilities

Abstract

An adequate information security management system (ISMS) to minimize business risks and maximize return on investments and business opportunities is recognized always more as key differentiator. Thus legal compliance, commercial image and competitive edge are sustainable maintained. Due to increasingly faster changing information security (IS) requirements (from market, customer, technology, law or regulations) the effectiveness and performance of the ISMS must be continually evaluated and improved. Data must be recorded, analyzed and if necessary appropriate corrective or preventive actions should be taken. For these measurement and improvement tasks we have to assign roles and responsibilities. Firstly we define different roles and their tasks for information security (IS) measurement and improvement. Starting from the approved organizational structure we assign the responsibilities for these roles to top and executive management. After we elaborate and document all relevant business processes with their supporting IT services and go on through all technical layers describing the relevant items with their dependencies and relationships. To entire processes, services and items are assigned responsibilities for the defined roles systematically, consistently and traceably. This innovative, systemic, strategic aligned approach has been implemented successfully by different medium sized organizations for several years. Based on our experiences IS awareness, IT alignment with business goals, service orientation, process and systems thinking, as well as the comprehension for the requirements of other organizational units were increased. © 2013 Springer Science+Business Media.