《georgiatechnologyauthorityinformationsecuritymanagement》由会员分享,可在线阅读,更多相关《georgiatechnologyauthorityinformationsecuritymanagement(2页珍藏版)》请在金锄头文库上搜索。
1、 GGe eo or rg gi ia a T Te ec ch hn no ol lo og gy y AAu ut th ho or ri it ty y Title: Information Security Management Organization PSG Number: SS-08-006.01 Topical Area: Security Document Type: Standard Pages: 2 Issue Date: 3/31/08 Effective Date: 3/31/08 POC for Changes: GTA Office of Information
2、Security Synopsis: Sets minimum standards for an information security management organization. PURPOSE In compliance with the Enterprise Information Security Charter P-07-005.01, each agency must implement a formal internal information security program. Agency executive management is ultimately resp
3、onsible for protecting agency-wide assets and setting security philosophy that will determine the overall effectiveness of the information security program. As such, it is necessary to establish a security management organization with clearly defined roles and responsibilities that will collectively
4、 and cooperatively develop, implement, and maintain the agencys information security program by aligning security objectives with the business objectives of the organization. This standard establishes the minimum elements of an information security management organization. SCOPE, AUTHORITY, ENFORCEM
5、ENT, EXCEPTIONS: See Enterprise Information Security Charter (policy) STANDARD Each agencys information security infrastructure shall have a security management organization that oversees the security program, establishes and periodically reviews security controls, and authorizes systems to operate.
6、 Agency heads shall ensure the appropriate officials and personnel are assigned the following minimum security roles and responsibilities. Agency head or other executive management (ex. CIO) shall be ultimately responsible for the security of information assets held by the agency and assign personne
7、l to the appropriate security roles. Title: Information Security Management Organization Effective Date: March 31, 2008 2 of 2 Business/Information System Owner shall establish the strategic objectives for the applications and technology that support their business functions. Data/Information Owner
8、shall define the controls necessary to protect the data within their business function and shall knowingly accept the risks associated with operating an information system processing that data. Information System Security Officer (ISSO) shall administer the information security program. The ISO shal
9、l be the primary point of contact to the State Chief Information Security Officer (CISO) on security matters for the agency. Business Continuity Coordinator shall ensure a process exists to maintain continuous operations of critical functions during a crisis or to recover critical functions within e
10、stablished Recovery Time Objectives (RTO). GUIDELINES These are security responsibilities and do not mandate the need for a full-time security staff, employees or positions. Smaller agencies and agencies with small IT budgets may chose to assign these functions as additional duties, or all of these
11、functions may be the responsibility of one or two individuals. What is important is that agency management take ownership for the security of their information assets, and ensure that whoever is assigned these security functions, understands their responsibilities and is able to fulfill their role.
12、Agency heads whose IT infrastructure is managed by a separate agency or service provider are still responsible for the security of their information resources and should work closely with the IT management organization to define where the lines of responsibility reside and jointly develop policy and
13、 procedures that meet the needs and requirements of the smaller agency. REFERENCES National Institute of Standards (NIST) Special Publication 800-12 Introduction to Computer Security (NIST Handbook) and NIST SP800-100 Information Security Handbook for Managers located at: http:/csrc.nist.gov/publications/nistpubs/index.html RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES Enterprise Information Security Charter (Policy) Information Security Infrastructure (Standard) Note: The PSG number was changed from S-08-006.01 on September 1, 2008
