You have been hired by a large public university as the lead of IT security. The university has adopted Microsoft technologies for most of the IT applications. The Chief Infor

4

Organizing information security

It is both practical and sensible to consider the organization’s information security management structure at an early stage in the implementation process. This does, in fact, need to be thought through at the same time as the information security policy is being drawn up, as set out in Chapter 5. An effective information security management structure also enables the risk assessment (to be discussed in Chapter 6) to be carried out effectively.

The second control category in Annex A to the standard, in clause A.6.1, is ‘Internal organization’. Controls are selected to meet business, regulatory or contractual requirements (the baseline security criteria), or in response to the risk analysis (see Chapter 6); there is a business requirement to put an information security management structure in place from the start of the ISO27001 project. The control objective of control A.6.1 is to ‘establish a management framework to initiate and control the implementation and operation of information security within the organization’.

This objective encourages the creation of the management information security forum identified in earlier versions of the standard. More impor- tantly, it no longer prescribes any specific management structure; the key requirement is management’s active support for and commitment through- out the organization to the ISMS project. Without this, neither certification nor the project itself will be successful. Clause A.6.1.1 of ISO27002, says that information security responsibilities should be defined and allocated (which reflects also the requirement of ISO27001 clause 5.3) and explains, what best practice expects in terms of the allocation of roles and responsi- bilities. At the same time, the competence requirements of Clause 7.2 should also be considered.

IT GOVERNANCE56

Internal organization

ISO27002 echoes the requirement that managers should actively support security within the organization through ‘clear direction, demonstrated commitment, explicit assignment and acknowledgement of information security responsibilities’. In practical terms, this means that managers should set up a top-level forum or steering group to ensure that there is clear direc- tion and visible management support for security initiatives within the organization. It could be part of an existing management body, which might be appropriate in a smaller organization where the members of the top management team will also, broadly, be the members of an information security forum. More usually, it will be a separate cross-functional body, adequately resourced for its responsibility, reporting to a member of the top management team and reflecting top management support and commit- ment. In this book, we will usually refer to this management group as ‘the forum’. The effectiveness of this forum will be fundamental to both the effectiveness of the ISMS and compliance with clauses 5.1, 5.2 and 5.3 of the standard.

ISO27003, the formal guidance on ISMS implementation, identifies roles for an information security committee and an information security planning team. The information security committee should have delegated manage- ment responsibility for information security within the organization. The information security planning team is responsible for planning implementa- tion of the ISMS, resolving inter-departmental conflict and ensuring that the ISMS project runs to plan. In practical terms, in most organizations, the forum which was described earlier will usually evolve into an information security committee which effectively has governance responsibility for infor- mation security. In most organizations, it makes sense for the forum to have both roles: ownership of the ISMS and responsibility for planning and deploying it. In much larger organizations, it is usually sensible to follow the guidance of ISO27003: senior managers, who might be involved in the forum or committee, are not usually able to take part in the actual project work. Towards the end of the project, it is usually practical to merge the two groups, retaining an appropriate mix of roles and skills on the information security committee or future forum so that the ISMS can be maintained and developed after certification.

An effective approach to establishing the forum would be to seek member- ship from all levels of the organization, and from all parts of the organization that are likely to be affected by the ISMS project. Including, for instance,

ORGANIZING INFORMATION SECURITY 57

those who handle incoming physical mail, IT helpdesk staff, and user repre- sentatives will help the forum fully consider all relevant practical issues before making policy or procedure recommendations.

Once the ISMS has been fully established, the forum could become the information security committee identified by ISO27003, or could simply continue to be the forum. Whatever, it should meet at least twice a year and preferably quarterly. All its activities should be formally documented, together with its decisions and the reasons for them. Copies of all material presented at the meetings should be retained, and subsequent meetings should track actions agreed, report on progress for each of them and docu- ment these steps. This group should be responsible for:

 1 Identifying information security goals and strategy that meet the organization’s requirements; ensuring that goals are communicated and understood, checking whether there are adequate resources for achieving them, and whether the ISMS is properly integrated into the organization’s processes and business as usual.

 2 The review and approval of the organization’s information security policy, which must be explicitly agreed and supported by top manage- ment setting the scope of the ISMS, ensuring that information security objectives and plans are established, identifying internal and external issues and the requirements of interested parties, and agreeing how roles and responsibilities should be allocated. This should include appointing, or agreeing the appointment of, the manager responsible for informa- tion security within the organization, together with the key responsibilities of the role; this role could be given the explicit responsi- bilities identified in clause 5.3: to ensure that the ISMS conforms to the requirement of ISO27001 and to report to Top Management on the performance of the ISMS.

 3 Ensuring that sufficient resources are provided to develop, implement, operate and maintain the ISMS.

 4 Monitoring changes in exposure of key organizational information assets to major threats, deciding (within the context of any existing organizational risk treatment framework) acceptable levels of risk and ensuring that awareness of these threats is developed, as well as ensuring that the importance of complying with the ISMS is adequately commu- nicated to the organization.

 5 Ensuring that procedures and controls are implemented that are capable of promptly detecting and responding to incidents, as well as the review

IT GOVERNANCE58

and oversight of information security incidents. Receiving reports from the information security manager on the status and progress of specific implementations, security threats, results of reviews, audits, etc and ensuring that adequate steps are taken to implement findings or deal with non-conformities.

 6 The approval of major initiatives (such as any individual initiative asso- ciated with the implementation of ISO27001) to improve information security within the organization, including security aspects of systems acquisition.

 7 Establishing means of monitoring and ensuring compliance with the policy and reviewing the effectiveness of these measures periodically.

 8 Ensuring that information security objectives and requirements meet the business objectives.

 9 Ensuring that control implementation is coordinated and effective across the organization.

10 Ensuring that adequate steps are taken, on an ongoing basis, to continually improve the ISMS.

Management review

ISO27001 introduces, at clause 9.3, a requirement for a management review of the ISMS, and this should take place at predetermined intervals agreed by the board, whenever there have been significant changes to the organiza- tion’s risk environment, or business organization, and at least annually. The review process is similar to that required by ISO9001, and ISO27001 sets out clearly and in adequate detail the minimum inputs and outputs expected of such a review, which, ideally, should be carried out by the forum and, again, involve top management. The inputs are all discussed at appropriate points in this book, and the information security manager should be made responsible for gathering together the inputs and communicating, to all concerned, the outputs (decisions) of the review.

Management reviews should be fully documented, with an agenda, with minutes, and with follow-up actions. In integrated management systems, management review is likely to consider all aspects of its integrated manage- ment system: quality, environment, IT service management, information security and so on.

ORGANIZING INFORMATION SECURITY 59

The information security manager

Although good practice expects one manager to be made responsible for the co-ordination of all security-related activities, this is not a specific require- ment of ISO27001. There are potential conflicts between accepted good practice, the requirement for impartiality in ISO27001 clause 9.2.e, control A.6.1.2 for segregation of duties, and the resources actually available to the organization. One should pay particular attention to the standard, to the competences required of the role, and to reality when finalizing these arrangements. It is also worth bearing in mind that the organization may – depending on the expertise of the person selected for the information security manager role – also need access to specialist information security advice; if this is not provided by the person who manages the ISMS, it could be provided by someone else. That is entirely a matter for the organization concerned.

Practical experience demonstrates that one person really will need to be charged with managing the ISMS project, and this person should be appro- priately qualified. He or she could be appointed before the forum is set up, and his or her brief could include the formation of the forum. The benefit in this route is one of speed and, potentially, of simplicity. The board member who has been charged with responsibility for ensuring implementation of the ISMS could simply select and appoint an appropriate person and an initial project team, who could then take things forward. The selection and training of the members of a forum are potentially more time-consuming, and the period during which they are learning their roles will precede the point at which they are competent to select and appoint an appropriate information security manager. The organization may not wish to pursue this slower route.

While the information security manager does not need to be the same person as is appointed as the organization’s information security expert (the skill sets required for the managerial role, particularly in a larger organiza- tion, are likely to be different from those required for the security expert’s role), this person will still need adequate training in information security matters, and the discussion later in the chapter, headed ‘Specialist informa- tion security advice’, should be read in conjunction with this section. Obviously, the person selected for the managerial role will need to be an effective manager with well-developed communications and project manage- ment skills.

IT GOVERNANCE60

This manager should be charged with a number of defined and key activ- ities. Depending on the culture and structure of the organization, these could include:

 1 Establishing the management information security forum (unless the organization chooses to establish the forum first and then ask the forum to select the manager).

 2 Formalizing, with the forum, a standard glossary of terms. Words like ‘risk’, ‘threat’ and ‘incident’ mean different things to different people and it makes practical sense to have a standard corporate glossary that provides standard definitions of all the terms that are used for informa- tion security or in any of the management systems. ISO/IEC 27000 is a good place to start, in that it contains a full set of terms applicable to the ISMS. Other terms from other standards and frameworks (eg business continuity, or ITIL, or COBIT) could be added as required.

 3 Developing, with the forum, the security policy, its objectives and strategy.

 4 Defining, with the forum, the scope of the ISMS, taking into account internal and external issues and the requirements of interested parties.

 5 Briefing the forum on current threats, vulnerabilities and steps taken to counter them.

 6 Working with risk owners to carry out the initial information security risk assessment.

 7 Ensuring risk owners identify changed risks and that appropriate action is taken.

 8 Ensuring that the risk is managed by agreeing with the board, risk owners and the forum, the organization’s approach to risk management, the risk treatment plan and the level of assurance that will be necessary.

 9 Selecting control objectives and controls that, when implemented, will meet the objectives.

10 Preparing the statement of applicability and risk treatment plan.

11 Recording and handling security incidents, including establishing their causes and determining appropriate corrective and/or preventive action.

12 Reporting to the forum on progress with implementing the ISMS, and on incidents, issues, security matters and current threats.

13 Ensuring management reviews are carried out as required.

ORGANIZING INFORMATION SECURITY 61

14 Monitoring compliance with the standard and reporting to management on the effectiveness of the ISMS.

15 Driving continual improvement activity across the entire ISMS.

The cross-functional management forum

The concept of a cross-functional forum has disappeared from ISO27001. It was a sensible idea and organizations should consider setting one up. The driving logic is that information security activities would be coordinated by representatives from different parts of the organization with relevant roles and job functions. This is particularly relevant for larger organizations, where security activity needs to be coordinated across a number of divi- sions, companies or sites, each of which may have its own information security manager or adviser. This cross-functional forum could, in smaller organizations, be integrated into the management information security forum discussed earlier. The range of activities that might be carried out by this cross-functional forum are:

1 agreeing, across the organization, specific roles and responsibilities in respect of information security;

2 agreeing the specific methodologies and processes that are to be used in implementation of the information security policy;

3 agreeing and supporting cross-organizational information security initiatives;

4 ensuring that the corporate planning process includes information security considerations;

5 assessing the adequacy and coordinating the implementation of specific controls for new systems, products or services;

6 reviewing information security incidents;

7 supporting the communications strategy and ensuring that the whole organization is aware of the way in which information security is tackled.

There is a lot of overlap between the possible functions of the management forum and the cross-functional group described earlier in this chapter. An external certification auditor will want to know how the two key functions – coherent management of information security and coordination of infor- mation security-related activity – have been tackled. One route, clearly, is

IT GOVERNANCE62

for each forum to have very clearly differentiated functions and for the reporting lines between the two to be drawn very unambiguously.

Usefully, in all but the largest organizations these two forums can be combined. Practically, this is sensible, as otherwise the structural issues of relating the two forums and of clarifying what issues are dealt with at which level can create unnecessary bureaucracy. Where two separate groups are set up, the first to operate more at the strategic level and the second more at the implementation level, the time of the information security and functional specialists will be stretched as they will need to contribute to both. The managerial benefits of combining the two groups are so significant that this book will proceed on the basis that this is the appropriate route, and our use of the term ‘forum’ from now onwards will refer to this combined group.

The detailed work of the management forum is then best dealt with by asking the manager responsible for information security to draw up, outside the formal meetings, proposals as to how each of the issues should be dealt with.

These proposals should then be tabled, discussed and agreed by the forum. All meetings of this forum should be documented, as should actions agreed and progress against them.

The ISO27001 project group

Ideally, the forum should be set up at the outset of the project and be chaired by the senior executive or board member who is designated as responsible for the implementation of the ISMS. The forum should, initially, and in most smaller organizations, also be the project team that sees implementation through to successful conclusion and whose ongoing role clearly evolves from this initial responsibility. This intention should be clearly documented in the project plan and in the first minutes of the forum and/or terms of reference for the group.

Members

Members of the forum, a number of whom need to be in senior positions within the organization, should be selected from across the organization. Key functions that should be represented are quality or process manage- ment, human resources, training, IT and facilities management; these may all have to change their working practices significantly as a result of the

ORGANIZING INFORMATION SECURITY 63

decision to implement an ISMS. Apart from the manager responsible for information security and the trained information security expert, the most critical representation will be from HR, sales, operations and administra- tion. These tend to be the functions in which the majority of the organization’s personnel are employed and the ones that will be most affected by the imple- mentation of an ISMS. While the people invited to represent these functions should be among the most senior and widely respected individuals within them, it can also be beneficial to draw in representation from more junior ranks and certainly from end users. Without this perspective, the forum may be inadequately aware of issues ‘on the ground’, and may arrive at conclu- sions that, in practical terms, are difficult to implement.

As discussed earlier, the change process that ISO27001 implementation will require has a cultural impact. It is critical that those most able to repre- sent and articulate the needs and concerns of the key parts of the organization are included on the working party. Without their involvement, there is unlikely to be the ‘buy in’ necessary for the ISMS to be effectively developed and implemented.

Clause 7.2 of the standard requires the organization to ensure that all personnel are competent to perform the tasks assigned to them in the ISMS. This will require the organization to determine the competences required, first of the forum members and later of those charged with implementation. This chapter has pointed at the range of competences that may be required, and final decisions should be documented. See also the discussion on train- ing in Chapter 8.

As soon as the members of the implementation team have been chosen, and once their mission and role have been explained to them, it will be necessary to give them some initial exposure to the standard and to informa- tion security. There are a number of ways that this can be done. One is to send them on a Foundations of Information Security Management training course, which is a one-day seminar designed to inform and assist delegates who need a clear introduction to the principles and objectives of informa- tion security management. Such a course should be suitable as a general introduction to the subject for people who will not need to become too deeply involved in many of the details of the ISMS. Another, obviously, is to give them each a copy of this book; the first six chapters are probably the ones that will be most useful for the ‘lay’ members of the implementation team.

It is equally critical that all members of the working party understand clearly that their role is to put together and implement an ISMS that meets

IT GOVERNANCE64

the board’s requirement. The CEO needs to set this requirement clearly in front of the working party. There will undoubtedly be divergences of opin- ion between members of the team at many points during the implementation process and on a wide variety of issues. This should make for a stronger ISMS, as what emerges will be more likely to meet all the requirements of the organization. However, if the process is not managed effectively, this working party could also be the graveyard of the information security strat- egy.

When healthy disagreement degenerates to competition and open warfare, there will be little or no progress; if what emerges from the process is simply the view of one faction or another, it will not be successfully implemented.

Equally, it is possible for the working party to become bogged down in procedural issues or to be ultra-cautious in how it tackles the implementa- tion challenge. While the danger of the project dragging on can be dealt with by setting a very clear date by when implementation must be complete (even to the point of writing it into the individual performance objectives of all the members of the team), it can still fail because the working party simply does not work effectively. Clearly, therefore, the most important choice to be made in respect of both the implementation working party and the manage- ment forum into which it will evolve is that of its chairperson.

Chairperson

The choice of chairperson of this group is usually critical to its success, both as a group and in terms of how the rest of the organization views and responds to it. The chairperson needs, therefore, to be someone who is capa- ble of commanding the respect of all members of the working party. He or she needs to be wholly committed to achieving the goal of a certified ISMS within the board-agreed timetable. He or she needs to be pragmatic and prepared to ‘think outside the box’ in identifying solutions to organizational problems that are affecting implementation. This person should not be from any one of the organization’s support functions, as this will usually brand the project as an unimportant one. The project should on no account be led by an IT person, as the implementation of an ISMS simply cannot afford to be seen as only an IT project. The chairperson should, preferably, have a broad managerial responsibility within the organization as well as experi- ence in implementing cross-organizational change projects. Ideally, he or she will be the CEO or the main board director who has been charged with implementation of the board’s security policy. In smaller organizations, this

ORGANIZING INFORMATION SECURITY 65

person might also be the manager responsible for information security; in larger organizations, where this is likely to be a full-time role, the manager responsible for information security should properly report to the chairper- son of the forum. The need for segregation of duties needs also to be considered.

Not only is the structure outlined here the most effective method for delivery of the ISMS, but it is also very clear evidence of commitment from the very top of the organization to its implementation. The external ISO27001 auditor should be suitably impressed.

Records

Meetings should be scheduled ahead of time, to ensure that everyone who will be needed can record them in their diaries and be present. The frequency of meetings during the implementation phase will reflect the urgency and complexity of the implementation plan. In practical terms, meetings held fortnightly for the first few months of the implementation timetable can contribute to building momentum in it. After that, they can drop to monthly events. Once implementation is complete, the forum might meet on a quar- terly basis or when there are significant changes or business issues to consider. The forum should decide how often it needs to meet, set out its reasons and record the decision.

Meetings do not, of course, require physical attendance. They can take place by videoconference or by teleconference. What matters is that all members are able to take part, that they have adequate notice of the meeting and that the meetings are properly managed and documented.

Normal meeting principles should be established and maintained. All meetings should have an agenda and an attendance record, and action points and key decisions should be recorded in the minutes, with information about who is responsible for what actions and within what timescales. The minutes should be retained as part of the quality records, and the external auditor is likely to want to review them. In practical terms, the quality func- tion or PMO within the organization is usually best placed to provide the secretariat to this group.

While the external auditor will be particularly interested in what has been done about action points identified in the minutes, forum meetings can easily degenerate into long reviews of the minutes and actions arising from the previous meeting. Pragmatically, if the minutes are scheduled on the agenda to be dealt with at the end of the meeting, right before ‘any other

IT GOVERNANCE66

business’, meetings will be quicker and the organization will make substan- tially faster progress with the overall implementation. The chairperson should, prior to the meeting, have ensured that action points have been dealt with; this enables them to be reported on very quickly when the appropriate point on the agenda is reached.

As a matter of principle, one of the authors insists on starting meetings at the scheduled time, irrespective of how many people are in the room, and refuses to sum up progress so far for late arrivals. In the long (and some- times the short) run, everyone learns to arrive on time.

Allocation of information security responsibilities

ISO27001, at control A.6.1.1, says that ‘all information security responsi- bilities shall be clearly defined’. While the information security policy may provide general guidance as to who is responsible for which information security risk, this guidance is likely to be very broad, particularly if the policy model suggested in this book is adopted. It will not necessarily be clear to individual employees, from the policy statement, what their specific responsibilities will be. In any case, the organization will need to define clearly who is responsible for which risks, which security process and/or information asset and may have to look at geographic or site responsibilities as well.

For instance, while the need for an information security manager is clear, it is nevertheless sensible to identify individual owners of information secu- rity assets throughout the organization and confirm to them in detail and in writing their responsibilities in respect of these assets. This is an incredibly effective way of ensuring that the security of individual information assets is properly maintained on a day-to-day basis. Clause 8.1.2 (Ownership of Assets) of ISO27002 provides more information on this issue but does not add significantly to what we have said here.

There are generic responsibilities for members of particular groups of staff. The responsibilities of the members of the forum have been discussed, as have those of the information security manager. Those mentioned below could provide the basis for defining individual responsibilities within the organization and should be drawn more specifically to reflect the organiza- tional structure and systems.

IT departments should be accountable for the overall security of the system(s) for which they are responsible. This includes threat identification, assessing risks, managing projects, reviews and reporting on activity. Server room security should be another of their responsibilities.

ORGANIZING INFORMATION SECURITY 67

Local system administrators will have specific responsibilities for user registration and deletion, system monitoring, preparing security procedures, managing change control with defined bou