Very often, organizations entrust their overall considerations regarding information security to their IT Department. Consequently, the manager of this department is accountable for security issues. Furthermore, most of the time, that manager must assume this responsibility without additional means, within the limits of his current operating budgets.
This approach is not adapted to imperatives and issues in terms of security which encompass much more than the strict IT environment:
- Before implementing the appropriate security mechanisms, informational assets must be identified and classified according to the importance they have for the organisation. If management does not get involved in this exercise, tools implemented might not be adapted to the organization's imperatives.
- Security mechanisms are not necessarily of an electronic nature: they can be policies and guidelines for the benefit of employees, suppliers and clients, etc.
- A security breach is liable to have a legal impact that may implicate senior management’s accountability. It is therefore crucial that senior management gets actively involved in this endeavour.
For all these considerations, responsibilities in terms of information security must be clearly defined:
- Your organization's senior management must take the lead regarding information security, in the broad sense of the word;
- As for the IT Department it has the responsibility to implement the necessary technological tools to ensure information security, in compliance with the orientations set forth by management.
Lastly, addressing information security in the broad sense of the word, and involving senior management will help to more easily draw the line between:
- Your department’s current operations
and
- The actions undertaken to give effect to the organization’s orientations in terms of information security.
|
