As part of the security of IT systems and networks, all responsibilities must be clearly defined in the organisation. The board of management appoints the officers, along with their areas of competence. Each officer looks after the implementation of security policies within their area. These officers also take part in the annual review.
The CS (Head of Security) and the CSSI (Information Systems Security Officer) act as security coordinators. To this end, they each have the following responsibilities in their areas:
The respective managers of the organisation’s assets should:
The CS and CSSI positions are specifically related to security management for the organisation. The CS and the CSSI draw up, organise, and maintain security. They are the coordinators and the in-house contacts in this area. They are permanent members of the Security Committee, and it is their responsibility to treat all security incidents with the necessary level of care.
These are transversal roles in relation to the hierarchical structure of the organisation, which enables them to act and hold authority over everything relating to security. They are invited to management discussions when opinions in the field of security are required. They also represent the main contact point for external authorities and various specialist groups.
The security policy should define a procedure to be followed for the addition of any information processing tool.
The addition of new hardware or software (SMEs: see Use of unapproved software and Insertion or removal of hardware and Invalid or non-existent licence and Misuse of organisation’s resources) within the company must be approved by the relevant officer (see definition of responsibilities in point 1 of this chapter). The installation of software downloaded from the Internet falls into this category. This procedure should also be applied for the use of private tools within the organisation, especially if they are connected to a network.
The organisation should be in contact with an IT technology security specialist. This will be the favoured contact for all aspects of IT security. They will especially play a role in:
The director appoints a specialist company to take charge of this activity.
The organisation can decide to appoint an external specialist to conduct an annual review of the security policy. The aim of this review is to check that the policies are suitable for the business of the organisation and that they are properly implemented on the ground.
Access – be it physical or logical (access management) – to the resources and information belonging to the organisation by third parties should be granted within a strict framework. Their access must be formally approved by a manager. The relevant parties should work under the direct supervision of a member of the organisation, or sign the document given in the appendix: ‘Security compliance agreement for sub-contractors of the organisation’ (SMEs: see Infiltrating the premises; Aggravated theft; Device recovery; Insertion or removal of hardware).
In any event, the service agreements relating to the sensitive resources of the organisation must include provisions relating to the protection of these resources.