This clause places requirements on ‘top management’ which is the person or group of people who directs and controls the organization at the highest level. Demonstrating leadership in regard to the ISMS is a core aspect of the IEC 27001 standard. Note that if the organization that is the subject of the ISMS is part of a larger organization, then the term ‘top management’ refers to the smaller organization. The purpose of these requirements is to demonstrate leadership and commitment by leading from the top. A particular responsibility of top management is to establish the information security policy, and the standard defines the characteristics and properties that the policy is to include. Finally, the clause places requirements on top management to assign information security-relevant responsibilities and authorities, highlighting two particular roles concerning ISMS conformance to ISO 27001 and reporting on ISMS performance. It is essential that top management provide the appropriate level of leadership in terms of direction, authority, policy, governance, and organization. Good leadership deﬁnes the business purpose of information security creates the mission statement, sets the strategy, provides staff focus on what is important with regard to the information security for the business and what the priorities are, motivates and inspires conﬁdence and trust in the workforce that it is committed to protecting the business and nurtures security culture and security skills. Good ISMS leadership is needed to build a team that will successfully take forward the implementation of the ISMS, which will empower and motivate staff to be proactive followers and supporters in helping to protect the organization. A good ISMS leader will be passionate about being successful in managing the information security risks the organization faces. ISMS leadership should strive to inspire others to see information security as a business enabler, with the vision of turning information security risks into a business opportunity. Leadership is different than management—the former motivates and inspires, creates the vision and points people in the right direction, while the latter administers, controls, and follows the vision and organizes people. Both ISMS leadership and ISMS management together achieve an effective, robust, resilient ISMS. Leadership will be the champion of the ISMS, and management will control and manage the ISMS.
The “Leadership” clause has three sub-clauses ie
Clause 5.1 Leadership and Commitment
Clause 5.2 Policy
Clause 5.3 Organizational roles, responsibilities and authorities.
5.1 Leadership and commitment
Top management must demonstrate leadership and commitment by ensuring the information security policy and the information security objectives are established and are compatible with the strategic direction of the organization. The top Management must ensure the integration of the information security management system requirements into the organization’s processes. The top Management must make available the resources needed for the information security management system. The top management must communicate the importance of effective information security management and of conforming to the information security management system requirements. The top Management must ensure that the information security management system achieves its intended outcome which preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. Top Management must direct and support persons to contribute to the effectiveness of the information security management system. They must also support other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. They must promote continual improvement.
The organization’s Top Management must provide leadership and show their support for ISMS. They must demonstrate a commitment to ISMS. Ensure that ISMS policies are established. Ensure that ISMS objectives are established. Ensure that ISMS achieves its intended outcomes. Ensure that ISMS requirements become an integral part of the organization’s processes. Ensure that necessary ISMS resources are available when they are needed. Must communicate a commitment to ISMS. Make sure that people understand how important information security actually is. Encourage managers to demonstrate their leadership and commitment to information security within their own areas.
Implementing a Security Strategy
An effective information security strategy for an organization must take into account the overall strategic objectives of the Organization. Even when focusing on critical processes and legal mandates, it is necessary to extend protective measures beyond the underlying IT systems and associated administrative staff. For example, the marketing department has access to customer records, and this access must be considered when assessing the security risks associated with these data. A failure to provide marketing executives with securely configured workstations increases the risk of sensitive data being exposed via their computers. This risk can also be reduced by implementing a middleware solution to properly control which records each executive can access and to minimize the amount of sensitive data stored on their computers. Also, to be effective, security practices cannot rely completely on technological solutions. Continuing the example, policies are required to clearly define each employee’s responsibilities relating to s data and the security of their workstations. Also, awareness programs aimed specifically at employees and their responsibilities to safeguard information might be developed, possibly in conjunction with the CISO(Chief Information Security Officer)
To complicate matters, the operational needs of the Organization often directly conflict with security practices such as perimeter firewalls, port authentication, centralized configuration management, and strong authentication. Organizational networks must, therefore, be designed to balance security and privacy requirements while accommodating a wide variety of end-users and their needs – e.g., visitors, new employees arriving with computers, employees sharing large quantities of data with members of the organizations, remote access to a variety of network services for individuals who are traveling or telecommuting, and mobile users moving between classrooms, libraries, and indoor and outdoor study spots on campus. Although firewalls are becoming widely used to protect critical systems on organization’s networks, their use at the perimeter is less common because it is difficult to reconcile their restrictiveness with the need for an open networking environment that supports research, learning, and high-speed networking. Although centralized management is feasible for certain hosts on organizations’ networks, this approach is not suitable for most computers and many systems. In the end, security and privacy practices need to be integrated into operational practices in a way that makes the most sense.
Effective Organizational governance of the information security function is critical to a successful program. It can be both the “proof of the pudding…” with regard to management commitment and provide necessary guidance when deciding where to allocate scarce resources. This well-researched section draws from experts in the field and provides useful background and advice which can be adapted to a wide variety of cultures.
The organization must establish an information security policy for the organization. The Top Must ensure that information security policy is appropriate and supports the organization’s purpose. The information security policy must include security objectives or can be used to establish these objectives. The information security policy must make a commitment to comply with all relevant information security requirements. An important aspect of conformance to the requirements of ISO 27001 and of achieving a successful ISMS development and implementation and ongoing management is that such task should be driven and led from the top, by top management. Top management should start by deﬁning an appropriate information security policy for the ISMS. The policy should be a clear management statement of its intentions, objectives, and goals regarding information security and the protection of its information systems. This policy should reﬂect top management commitment and support for the ISMS to satisfy the requirements in Section 4.1 and address the issues in Section 4.2. It should be a directive from above that typically should address at least the following:
- The scope of information security, its importance to the business, and clarity about what the business information security objectives are (e.g., regarding the protection of the conﬁdentiality, integrity, and availability of its information);
- The need for stall awareness: stall should be aware of their duties and responsibilities regarding the risks (e.g., their responsibility to handle and process sensitive company information in a way that protects it from compromise);
- What is acceptable and not acceptable with regard to behavior and use of its resources (e.g., acceptable use of the company email system);
- Its obligations to carry out its business in compliance with the laws and regulations, contractual obligations, best practices and standards that stall also need to comply with (e.g., compliance with laws on copyright, data privacy/protection and computer use/misuse/abuse);
- Reference to any other documents that stall needs to be aware of and comply with (e.g., more detailed security policies and procedures as well as any other relevant proceedings not directly related to security). This could be industry-speciﬁc policies such as those businesses that need to deal with environmental issues, aspects of health care, production of pharmaceutical products or food safety.
This management information security policy should be written in a way that the style and content are independent of any particular skill, process, or technical knowledge. For example, the content should be understandable by someone that is not an IT specialist, someone not trained in company ﬁnances or legal affairs, or does not have human resources skills. in other words, it should state information security objectives that are generally understood by all stalls not just people with highly technical backgrounds or certain professional qualiﬁcations or skills.
Approval, Communication, and Awareness
This management policy needs to be approved and signed by the CEO (or someone of similar management authority and accountable status) since the aim is to indicate management commitment and support. The policy needs to be communicated across the organization to all staff and interested parties. This could be in paper form or by electronic means or both. Some organizations display their policies on the walls of ofﬁces, computer rooms, and other areas to ensure they are continually accessible and visible. Other organizations resort to using ICT to distribute and have available their policies and procedures via their internal network. Others may choose to distribute it in paper only for the stall to keep at their own place of work. Whatever the method used, the policy should not be hidden away and forgotten. Stall needs to read, understand, and refresh their memories every so often about its contents and what it says about their speciﬁc information security responsibilities and duties. This policy needs to be reviewed and updated as necessary to take account of the changing nature of the information security risk environment and evolving organizational developments and changes. There needs to be a review process for maintaining this policy, as is the case with all policies and procedures, as part of the ISMS continual improvement process. This management policy is a high-level policy that “sets the scene,” and typically there will more detailed policies, which will give more speciﬁc rules and instructions on the implementation of information security protection. For example, policies on access control cover the rules of access to different organizational resources and facilities such as email servers, databases, network services, applications as well as physical access to buildings, ofﬁces, rooms, and storage equipment.
5.3 Organizational roles, responsibilities and authorities
Top management must ensure that the responsibilities and authorities for roles relevant to information security are assigned and communicated. Top management must assign the responsibility and authority for ensuring that the information security management system conforms to the requirements of this International Standard, and reporting on the performance of the information security management system to top management. Top management may also assign responsibilities and authorities for reporting the performance of the information security management system within the organization.
Roles and Responsibilities
Involvement from top management is critical to the design and effectiveness of any information security program. The definition of “top management” can vary from organization depending on size and structure, but in general, “top management” should involve members of the senior executive team responsible for making strategic decisions within the organization. The intent of involving top management within the information security program is to ensure that enterprise governance is aligned with the information security governance framework. Components of a well-designed information security governance program include leadership, structure, and processes designed to protect an organization’s information security assets. Effective information security governance requires that top management have clear expectations about what to expect from the information security program, how to evaluate the organization’s risk posture, and how to define information security objectives that are in alignment with the strategic direction and goals of the organization. Top Management must allocate responsibility and authority for carrying out information security roles to the appropriate people within the organization. Top Management must communicate all relevant information security management roles, responsibilities, and authorities. Top management’s involvement with the information security program includes ensuring that the intended outcomes of the information security program are achieved, which could include the following:
- Alignment with business strategy to meet the organization’s strategic objectives.
- A risk management program that identifies and mitigates the impacts to an organization’s resources and assets.
- Effective and efficient resource management
- Timely and useful metrics reporting
- Value-added information security initiatives
Security is ultimately the responsibility of all employees within an organization; however, the most successful information security programs demonstrate effective leadership from top management by setting a “tone at the top” and championing the importance of information security through well-designed policy and direction. The result can be an organization with information security ingrained as part of its culture. The ISO 27001 standard requires that organizations demonstrate leadership and commitment from top management as outlined in Clauses 5 (Leadership) and 9.3 (Management review). The focus within Clause 5 is on the design of the information security management system (ISMS) which requires involvement from top management and includes the establishment of the information security policy and an organizational structure where the responsibilities and roles relevant to information security are defined and communicated. The focus within Clause 9.3 is to establish procedures for top management to be continually involved in the evaluation of the ISMS to ensure its effectiveness. The members of top management that are involved with the leadership of the ISMS should consider the scope of the ISMS. Involvement from top management can vary by organization, but the scope of the ISMS should be considered when determining who from top management will be involved from a leadership and commitment standpoint. Typically, organizations begin by selecting a committee responsible for overseeing the design, operation, maintenance, and improvement of the ISMS. The committee should include members from top management and members from the information security team.
An organization that is able to successfully implement the requirements of Clause 5 will establish an ISMS program with the oversight, support, and direction of top management; an information security policy that includes information security objectives and is appropriate to the organization; and an organizational structure that incorporates information security with upstream channels so that information security performance is effectively reported to top management. In addition to involving top management in the design of the ISMS, they are required to review and evaluate the performance of the ISMS on a continual basis. The frequent involvement of top management during the evaluation phase of the ISMS is a critical requirement. The intent is to provide regular feedback on the performance of the ISMS so that changes in the environment or processes not performing as expected are identified promptly so that corrective action can be successfully implemented. An organization that can successfully implement the requirements of Clause 9.3 will be able to consistently and continually evaluate the operation of the ISMS, with input from top management to ensure the intent and objectives of the ISMS are being achieved and that the improvements are implemented where necessary.
Day-to-day working and operational activities functioning effectively, and the proper management of staff, at all levels throughout the organization, can contribute to an effective information security business environment. In part, this requires a good information security culture within the organization to be in place, with appropriate awareness and understanding of the problems of information security risks and clear lines of responsibility and accountability. It is essential that roles and responsibilities for protecting speciﬁc types of information or information systems or for carrying out speciﬁc information security-related processes are clearly deﬁned and allocated. For example:
- The owner of an information system should be given the information security responsibility and accountability for that system (of course, these owners may delegate that day-to-day implementation of security to another individual or to a service provider, but they remain ultimately accountable for the protection of the system and the management of the information security risks);
- Personal data manager;
- Business owner—a speciﬁc department/group (ensures implementation of policy and procedures, deﬁnes information usage and classiﬁcation for information in their custody, allocates information custodians,deﬁnes access roles and privileges, conducts staff training and awareness and provides protection of personal data under their control);
- Chief information security ofﬁcer (CISO);
- Information security incident response team;
- Business continuity manager;
- Internal auditors;
- Human resource manager;
- IT services manager (IT service management, IT disaster recovery, involvement in incident management);
- IT and network administrators/managers (network management, secure network technologies, involvement in incident management);
Authorized users of information systems. In addition, all staff will have general responsibility for information security related to their day-to-day work. For example, reporting of unusual or suspicious behavior either related to their use of IT, network services, or related to other staff or visitors. Also, all individual staff needs to be aware of their responsibility for keeping their passwords and other types of access codes secure, to ensure that they are using organizational resources in accordance with the acceptable usage policy (e.g., rules for using email for sending file attachments).
As with any successful business venture, it is important to have the right types of resources for the jobs that need to be done. Having stall with the right competence to do a job properly, efficiently, and effectively is key to the overall success of the business. If it is a technical job, then the stall involved need to have the right level of knowledge and skill to handle the technical requirements of the job at hand, to resolve technical problems, and to be able to use techniques, methods, equipment, and procedures relevant to the technical area in question. If it’s a customer service job, then the staff involved must have the relevant skills needed to deal with customers (e.g., they are able to listen and respond effectively to customer’s questions and queries, they are able to satisfactorily resolve customer queries and problems, follow up on feedback from customers and generally be able to meet the expectations of the organization’s customers). Management needs to ensure that for specific information security tasks, it has the right people, with the right skills and knowledge, and experience. This can mean recruiting people who have the right existing skills and experience or recruiting people and providing a training program for them to develop the right skills and experience. In addition, all staff working in the ﬁeld of information security, whether those with experience or those in training, need to keep up to date as the issues and risks in information security continually evolve, as do technology and business practices. Every organization strives to have human resources with certain core competence, and many organizations seek staff with information security skills. The market is expanding, becoming more buoyant, and becoming highly competitive. For many years, organizations have recruited information security personnel with hands-on experience, practical knowledge, and appropriate references. Even though this is still the general basis of recruitment, more and more organizations have started to request applicants have market-proven professional qualiﬁcations, personal certiﬁcations, and in some cases university qualiﬁcations or a combination of both. The current education and training market provides certiﬁed qualiﬁcations, for example, in areas such as:
- information security auditing;
- information security management;
- Risk management;
- Information assurance;
- IT security;
- Physical security.
Training and Awareness
The organization needs to ensure that staff are aware of information security risks and have a sufﬁcient understanding to support the organization’s information security policy to undertake their normal work functions and tasks. Staff should be trained in the use of information security policies and procedures, security controls applicable to their job function, and the correct use of IT (e.g., log-in procedures, keeping passwords safe, appropriate use of IT). Training should take place during:
- Induction training for new staff upon joining the organization. This should cover the company’s information security policies, procedures, and routine practices, whom to contact for help and support regarding information security matters and whom to report security problems to, initial familiarization with the common types of risk malware, hacking, protection of commercially sensitive information and the protection of personal data, fraud, use of email and so on.
- On-the-job training providing speciﬁcally tailored instructions on information security suited to the individual’s job function.
- Annual (or more frequent) refresher training to keep stalls up to date with new developments and to provide organization-wide reminders or more immediate remedial training as the result of a security incident or an emerging risk.
An organization can deploy a variety of methods to deliver effective information security awareness and training to its staff. The methods that an organization selects will depend on the business culture and its operational needs. Therefore, an information security awareness and training program should be tailored to the speciﬁcs of the organization. You should alternate between different methods, perhaps introducing an element of motivational instruction together with practical interactivity.
- Classroom-based training can be highly interactive—such training can vary from half-day/one-day induction/beginners training course, through to various intermediate/advance three-to-ﬁve-day training courses covering a range of speciﬁc topics.
- Computer-based/online web-based training and awareness is a good method for reinforcing information security principles and speciﬁc topics. Such training can be delivered as a set of modules, interactive or noninteractive, and be accessible to staff at a time and place convenient to the individual.
- Seminars, workshops, round-table discussions, and presentations are especially well suited for introducing the new subject matter and for organizations with multiple sites;
- Videos are also an effective way to provide training on various topics.
- Posters provide visual reinforcement of information security principles and speciﬁc topics.
- On-the-job/desktop training is available.
- Internal emails can be used to remind, reinforce and provide updates on organizational policies and procedures.
Implementing the requirements of ISO/1EC 27001 covers many different tasks, activities, and processes that need to be carried out, and these are associated with a number of speciﬁc topics that information security professionals, practitioners and other staff will need to have knowledge of and develop experience in, depending on their particular job function. For example, an internal ISMS auditor will require knowledge of the auditing process and methods, whereas an ISMS risk manager would need knowledge and skills of the principles of risk management. These include:
- Principles of risk management
- Risk assessment;
- Risk treatment.
- Information security controls:
- Generic controls eg, as found in ISO 27002, NIST SP 800 etc;
- Sector-speciﬁc controls eg, as found in ISO 27010, 27011,27015, 27017, 27018, 27019.
- Performance evaluations:
- Measuring and monitoring methods and techniques eg, as found in ISO 27004
- ISMS auditing process and methods (eg., as found in 1S0 19011 and 27007).
- Certiﬁcation and auditing
- Certiﬁcation eg, as found in ISO 27006, ISO 17021;
- Auditing (e.g., as found in ISO 27007, ISO 19011).
- Legislation and regulations related to information security and privacy
- National and regional laws and directives;
- Standards covering privacy leg, as found in ISO 29100, 29134, 29190).
- Other speciﬁc security-related processes
- Incident handling (e.g., as found in ISO 27035, NIST SP 800-61);
- Business continuity e.g., as found in ISO 22301, ISO 27031
- Operational resilience e.g., as found in B5 16000.
- Speciﬁc IT security controls and mechanisms
- Network security (e.g., as found in ISO 27033);
- Applications security (e.g., as found in ISO 27034);
- Malware (eg. as found in NIST SP 800-83);
- Firewalls, IDS, IPS;
- Access control.
Annex A: Control objectives and control
A.6 Organization of information security
A.6.1 Internal organization
To establish a management framework to initiate and control the implementation and operation of information security within the organization.
A.6.1.1 Information security roles and responsibilities
All information security responsibilities should be defined and allocated.
Allocation of information security responsibilities should be done in accordance with the information security policies. Responsibilities for the protection of individual assets and for carrying out Specific information security processes should be identiﬁed. Responsibilities for information security risk management activities and in particular for acceptance of residual risks should be defined. These responsibilities should be supplemented, where necessary, with more detailed guidance for specific sites and information processing facilities. Local responsibilities for the protection of assets and for carrying out specific security processes should be defined. Individuals with allocated information security responsibilities may delegate security tasks to others. Nevertheless, they remain accountable and should determine that any delegated tasks have been correctly performed. Areas for which individuals are responsible should be stated. In particular, the following should take place:
- Assets and information security processes should be identified and defined.
- The entity responsible for each asset or information security process should be assigned and the details of this responsibility should be documented
- Authorization levels should be defined and documented
- To be able to fulfil responsibilities in the information security area the appointed individuals should be competent in the area and be given opportunities to keep up to date with developments
Coordination and oversight of information security aspects of supplier relationships should be identified and documented.
Many organizations appoint an information security manager to take overall responsibility for the development and implementation of information security and to support the identiﬁcation of controls. However, responsibility for resourcing and implementing the controls will often remain with individual managers. One common practice is to appoint an owner for each asset who then becomes responsible for its day-to-day protection.
Information security is the responsibility of everyone at the institution. It is important to establish roles and responsibilities for staff, managers, and contractors/vendors so that everyone knows what is expected of them when handling information. Leadership is also very important, and many institutions have at least one person who is primarily responsible for organizing the information security program. Typically this is a Chief Information Security Officer (CISO), Information Security Officer (ISO), Director of Information Security, although the title may vary depending on the Organization. No matter what title is selected, there should be someone at the organization who can provide a high level of decision-making support to leadership when considering information security issues and solutions. It is also important to establish data ownership and data handling roles (e.g., data owners, stewards, custodians, and users). Many institutions formally identify and document these roles within their information security policies and data management frameworks.
A.6.1.2 Segregation of Duties
Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets.
Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls. Small organizations may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails, and management supervision should be considered.
Segregation of duties is a method for reducing the risk of accidental or deliberate misuse of an organization’s assets.
Segregation of duties reduces the risk of intentional manipulation or error and increases the element of checking. Functions that should be separated include those of authorization, execution, custody, and recording and, in the case of a computer-based accounting system, systems development, and daily operations. Segregation of duties is the concept of having more than one person required to complete a task. Today’s automated solutions and information and communication technologies allow a few people to handle a great deal of information and processes (e.g., stock exchange operators and air traffic controllers). While this is good to improve productivity, a potential side effect is that these few people may end up gathering excessive knowledge and/or privilege over the operating environment and, in case they are absent or have malicious intent, this can prove to be an unacceptable risk, which must be handled. This is a best practice, especially in cases where sensitive data is being handled. This is seemingly obvious, but often difficult to do in practice. Essentially try to eliminate processes or situations where someone can access, change or use information assets without detection. For example network access and logging should be conducted by someone different from those authorized to use the data. If in doubt – no-one holds the keys to something from which they could gain.
Segregation of duties is a control put in place by many organizations to mitigate the risk of an insider threat or accidental employee mistakes. Sometimes this isn’t practical or possible, but the institution should be aware of the risks of a single person having too much access. Ideally, critical processes or activities should be split up between multiple people. For example, the initiation of a process, its execution, and authorization should be separated when possible. When this is not possible, monitoring and auditing critical processes are very important. Segregation of duties refers to practices where the knowledge and/or privileges needed to complete a process are broken up and divided among multiple users so that no single one is capable of performing or controlling it by himself.
The main reason to apply segregation of duties is to prevent the perpetration and concealment of fraud and error in the normal course of the activities, since having more than one person to perform a task minimizes the opportunity of wrongdoing and increases the chances to detect it, as well as to detect unintentional errors. Wrongdoing requires three factors to be possible: means, motive, and opportunity. Extremely lean processes increase the risk of wrongdoing by concentrating means and opportunity (access to and privileges over the process). By implementing segregation of duties, an organization minimizes the risk by splitting knowledge and privileges. However, the benefits of segregation of duties to security must be balanced with the increased cost/effort required. By using the ISO 27001 requirements for risk assessment, an organization can identify the most vulnerable and the most mission-critical elements of the business to which segregation of duties will represent real added value to the business and other interested parties.
The principles that can be applicable to segregation of duties are:
- Sequential separation, when an activity is broken into steps performed by different persons (e.g., solicitation, authorization and implementation of access rights)
- Individual separation, when at least two persons must approve an activity before it is done (e.g., contractor payment)
- Spatial separation, when different activities are performed in different locations (e.g., locations to receive and store raw material)
- Factorial separation, when several factors contribute to activity completion (e.g., two-factor access authentication).
- These principles can be used in isolation or together, depending upon the security an organization requires to protect its processes.
Segregation can be implemented by:
1.Identification of functions that are indispensable to the organization’s activities, and potentially subject to abuse, considering either business drivers or regulatory compliance (e.g., SOX)
2.Division of the function into separate steps, either considering the knowledge necessary for the function to work or the privileges that enable that function to be abused
3. Definition of one or more segregation principles to be applied to the functions. Examples of functions and segregation principles to be applied are:
- authorization function (e.g., two people need to authorize a payment)
- documentation function (e.g., one person creates a document and another approves it)
- custody of assets (e.g., backup media creation and storage in different sites)
- reconciliation or audit (e.g., one person takes inventory and another validates it )
Sometimes the segregation of duties is impractical because the organization is too small to designate functions to different persons. In other cases, breaking down tasks can reduce business efficiency and increase costs, complexity, and staffing requirements. In these situations, compensating controls should be in place to ensure that even without segregation of duties the identified risks are properly handled. Examples of compensating controls are:
1Monitoring activities: these allow activities to be supervised while in progress, as a way to ensure they are being properly performed.
2 Audit trails: these enable the organization to recreate the actual events from the starting point to its current status (e.g., who initiated the event, the time of day and date, etc.).
A.6.1.3 Contact with authorities
Appropriate contacts with relevant authorities should be maintained.
Organizations should have procedures in place that specify when and by whom authorities (e.g. law enforcement, regulatory bodies, supervisory authorities) should be contacted and how identified information security incidents should be reported in a timely manner (e.g. if it is suspected that laws may have been broken).
Organizations under attack from the Internet may need authorities to take action against the attack source. Maintaining such contacts may be a requirement to support information security incident management or the business continuity and contingency planning process. Contacts with regulatory bodies are also useful to anticipate and prepare for upcoming changes in laws or regulations, which have to be implemented by the organization. Contacts with other authorities include utilities, emergency services, electricity suppliers, and health and safety. e.g. fire departments (in connection with business continuity), telecommunication providers (in connection with line routing and availability), and water suppliers (in connection with cooling facilities for types of equipment)
The organization needs to maintain useful contact information with appropriate authorities. Obviously, with more significant organizations, the need for this is greater as the interruption of service to a larger part of the population increases. Particularly relevant to utilities, telecoms, banking organizations, and emergency services (and for smaller companies these might be on your list). Where attacks stem from the internet various authorities and providers may need to be called to action in order to divert /suppress/mitigate the threat. You can’t fix everything, but you can be ready should the need arise. This will help with business continuity and security incident management. A protocol for engagement with law enforcement can be a part of the security incident response plan or a broader crisis management procedure for the organization. The plan should be clear about which situations require working with law enforcement, such as when laws are broken. The plan should also clearly state who contacts authorities and under what circumstances (e.g., when law enforcement should be contacted by the information security officer or safety officer).
6.1.4 Contact with special interest groups
Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained.
Membership in special interest groups or forums should be considered as a means to:
1.improve knowledge about best practices and stay up to date with relevant security information;
2.ensure the understanding of the information security environment is current and complete;
3. receive early warnings of alerts, advisories, and patches pertaining to attacks and vulnerabilities;
4. gain access to specialist information security advice;
5. Share and exchange information about new technologies, products, threats or vulnerabilities;
6.provide suitable liaison points when dealing with information security incidents
Information sharing agreements can be established to improve cooperation and coordination of security issues. Such agreements should identify requirements for the protection of confidential information.
An Information Security Management System (ISMS) is only as good as its ability to keep up with the requirements of the business and provide adequate protection against the risks the organization is exposed to. To accomplish this, information about the environment must be evaluated constantly, but who will do this? Moreover, where can this information be found? The truth is that no one in your organization, not even dedicated teams, can do that by themselves. With the use of critical information getting broader and broader (e.g., by the use of teleworking, virtual teams, etc.), IT demands became more complex, and ISMS and security needs along with it. This means that the level of effort required to cover information related to every single security aspect of your organization would make the costs prohibitive. But, you still have to monitor this information. So, how to do it? Fortunately, ISO 27001 suggests an alternative: contact with special interest groups, control A.6.1.4 of Annex A of the standard.
In a general way, you can define a special interest group as an association of individuals or organizations with interest in, or acting in a specific area of knowledge, where members cooperate/work to solve problems, produce solutions, and develop knowledge. In our case, this area of knowledge would be information security. examples are manufacturers, specialized forums, and professional associations. The government is another example of a special interest group.
An organization’s ISMS needs to keep up with business requirements and organizational risks. To cover these issues, the A.6.1.4 control from Annex A suggests the following issues for you to identify a special interest group to help you:
- Best practices adopted by the market: policies, procedures, guidelines, and checklists that you can adapt to your organization’s needs.
- Market and security trends related to your industry: laws and regulations, customers’ requirements, suppliers situations your organization has to be aware of or comply with.
- News and alerts about threats, vulnerabilities, attacks, and patches: you need these to check your defenses because it is better to learn from others’ mistakes and misfortunes than your own, isn’t it?
- News related to new technologies and products: what can you use to improve your security, or to achieve the same level with reduced costs and/or effort?
- Specialized consultancy: you may not have the expertise, or time, to make the solution or resolve the problem by yourself, so who can help you?
- Specialized support to handle information security incidents (e.g., other organizations, police, government security agencies, etc.): when you have a problem and need help to resolve it, who can help you?
The government as a special interest group is a unique case, because of its access to additional resources (like police, emergency services, firefighters, etc.), and, depending on the legal requirements of each country, its involvement is mandatory.
Some of these issues you can identify for free (accessing the public content on the Internet, signing up for a regular newsletter, or identifying the person/job title to be in contact with a professional association or state agency), and some you have to pay for (consultant or support services). However, in the latter case, it would be recommended to establish contact with potential suppliers through your procurement process (it is always better to have a previous relationship than to call only in an emergency).
Since the information you will be working with could have a great impact on your ISMS (over management and/or security controls), you should be careful about which special interest groups you interact with, considering:
- The quality of the information provided: Not all of them have precise or updated information (some only repost news or information from other sources).
- The availability of the information: what is the update frequency of the information? If the source you use takes too much time to update its info, your organization could be exposed to a problem or risk for a longer period.
- The legitimacy of the source: Not all of them are authorized representatives of the one responsible for the information (e.g., manufacturers have specific forums to communicate with their clients or to provide patches). Another case is if security peers recognize the group as a reliable source of information.
In the cases where you have to send or receive information, be sure to verify whether there is an agreement about how the shared information will be protected.
Example of Security Roles and Responsibilities of the Postal service
Information security is the individual and collective responsibility of all Postal Service personnel, business partners, and other authorized users. Access to information resources is based on an individual’s roles and responsibilities. Only authorized personnel are approved for access to Postal Service information resources. All information technology managers are responsible for securing the Postal Service computing environment, which includes information resources and infrastructure, by implementing appropriate technical and operational security processes and practices that comply with Postal Service information security policies. All officers, business and line managers, and supervisors, regardless of functional area, are responsible for implementing information security policies. All officers and managers must ensure compliance with information security policies by organizations and information resources under their direction and provide the personnel, financial, and physical resources required to appropriately protect information resources. All Postal Service personnel are responsible for complying with all Postal Service information security policies.
Consolidated Roles and Responsibilities
1) Executive Vice President and Chief Information Officer
The executive vice president and chief information officer (CIO) are responsible for the following:
1.Acting as the senior information technology (IT) decision-maker and corporate change agent to securely integrate the key components of business transformation: technology, processes, and people.
2. Providing advice and assistance to senior managers on information security policy and their compliance-based performance.
3.Promoting the implementation of an information security architecture to mitigate information security-related risk.
4. Promoting the protection of corporate information resources across postal Service organizations and business partners
5. Together with the vice president of the functional business area (data steward) and chief privacy officer (CPO), approving the removal of portable electronic devices or media containing sensitive-enhanced or sensitive information from a Postal Service facility. If this responsibility is delegated, notice to that effect must be writing.
2) Chief Postal Inspector
The chief postal inspector is responsible for the following:
1.Establishing policies, procedures, standards, and requirements for personnel, physical, and environmental security.
2. Approving the identification of sensitive positions.
3. Conducting background investigations and granting personnel clearances.
4. Conducting site security reviews, surveys, and investigations of facilities containing Postal Service computer and telecommunications equipment to evaluate all aspects of physical, environmental, and personnel security.
5.Providing technical guidance on physical and environmental security activities that support information security, such as controlled areas, access lists, physical access control systems, and identification badges; providing protection of workstations, portable devices, and media containing sensitive-enhanced, sensitive, or critical information.
6. Providing security consultation and guidance during the system, application, and product development to assure that security concerns are addressed and information and/or evidence that may be needed for an investigation is retained by the information resource.
7. Assisting the manager, Corporate Information Security Officer (CISO), with reviews, as appropriate.
8. Investigating reported security incidents and violations.
9.Conducting revenue/financial investigations including theft, embezzlement, or fraudulent activity.
10. Providing physical protection and containment assistance and investigating information security incidents as appropriate.
11. Funding CISO investigative efforts outside of those normally required.
12. Managing, securing, scanning, and monitoring the Inspection Service’s network and information technology infrastructure.
13. Defining high-risk international destinations where personnel is prohibited from traveling with their standard-issue Postal Service computers and communications equipment (including laptops, notebook computers, external hard drives, Blackberry devices, USB devices, etc.)
14 Providing temporary equipment to use when traveling to high-risk international destinations
3) Vice President, Information Technology
The vice president, IT, is responsible for the following:
1. Sponsoring information security and business continuity management programs and ensuring that financial, personnel, and physical resources are available for completing security and business continuity tasks.
2.Ensuring confidentiality, availability, and integrity of information processed by IT applications.
3. Ensuring compliance with the information security certification and accreditation processes.
4. Together with the vice president of the functional business area, accepting, in writing, residual risks of information resources under their control. The VP IT may delegate this authority to the applicable Business Relationship Management manager. If this authority is delegated, notice to that effect must be in writing. e. Reporting to senior management on the status of an incident with a major IT application.
5. Defining and documenting secure coding best practices.
4) Manager, Computer Operations
The manager of Computer Operations is responsible for the following:
1. Sponsoring information security and business continuity management programs and ensuring that financial, personnel, and physical resources are available for completing security and business continuity tasks.
2. Ensuring confidentiality, availability, and integrity of information processed at IT sites.
3. Ensuring the protection and secure implementation of the Postal Service IT infrastructure.
4. Supporting information security certification and accreditation processes.
5. Together with the vice president of the functional business area (data steward) and CPO, approving the removal of portable electronic devices or media containing sensitive-enhanced or sensitive information from an IT facility.
6. Reporting to senior management on the status of an incident at a major IT facility.
7. Reviewing and utilizing C&A documentation in the IT Artifacts Library.
8. Resolving identified vulnerabilities.
5) Manager, Corporate Information Security Office
The manager, CISO, is responsible for the following:
1. Setting the overall strategic and operational direction of the Postal Service information security program and the program’s implementation strategies.
2. Engaging at any point on any level for issues related to information security that impact the Postal Service.
3. Recommending members to the Information Security Executive Council.
4. Developing and disseminating information security policies, processes, standards, and procedures.
5. Managing the certification and accreditation (C&A) process.
6. Providing guidance on application security, reviewing the C&A documentation package, and accrediting sensitive-enhanced,
7. sensitive, and critical information resources developed for, endorsed by, or operated on behalf of the Postal Service.
8. Managing the Network Connectivity Review Board (NCRB) process.
9. Authorizing temporary access to information resource services.
10. Conducting site security reviews or providing support to the Postal Inspection Service during its site security reviews, as requested.
11. Providing consulting support for securing the network perimeter, infrastructure, integrity controls, asset inventory, identification, authentication, authorization, intrusion detection, penetration testing, and audit logs and for information security architecture, technologies, procedures, and controls.
12. Approving encryption technologies.
13. Providing leadership of the security initiatives for the Enterprise Architecture Forum.
14. Developing and implementing a comprehensive information security training and awareness program that is mandatory for all employees at the time of hire and annually thereafter.
15. Serving as the central point of contact for all information security issues and providing overall consultation and advice on information security policies, processes, standards, procedures, requirements,
16. controls, services, and issues.
17. At least semi-annually, assessing the adequacy of information security policy and process to reflect changes to business objectives and the operating environment (including technology infrastructure, threats, vulnerabilities, and risks).
18. At least annually, assessing the adequacy of information security controls and recommending changes as necessary.
19. Establishing evaluation criteria and recommending security hardware, software, and audit tools.
20. Approving the establishment of shared accounts
21. Ensuring compliance with information security policies and standards through inspections, reviews, and evaluations.
22 Providing support to the Office of the Inspector General (OIG) and the Inspection Service during the conduct of investigative activities
23. concerning information security, the computing infrastructure, and network intrusions, as requested.
24. Providing support to the chief postal inspector during the conduct of facility/site security reviews, as requested.
25. Escalating security issues to executive management and promulgating security issues and recommended corrective actions across the Postal Service.
26. Authorizing monitoring and surveillance activities of information resources.
27 Authorizing (in case of threats to the Postal Service infrastructure, network, or operations) appropriate actions that may include viewing and/or disclosing data to protect Postal Service resources or the nation’s communications infrastructure.
28. Confiscating and removing any information resource suspected of inappropriate use or violation of Postal Service information security policies to preserve evidence that might be used in forensic analysis of a security incident.
29 Reviewing and approving information security policy for mail processing equipment/mail-handling equipment (MPE /MHE).
6) Information Security Executive Council
The Information Security Executive Council consists of appropriate Postal Service representatives and serves as a steering committee advising the CISO and promulgating information security throughout the Postal Service.
7) Vice Presidents, Functional Business Areas
The vice presidents of Postal Service functional business areas are responsible for the following:
1. Ensuring resources are available for completing information security tasks.
2. Ensuring the security of all information resources within their organization.
3. Together with the VP IT, accepting, in writing, residual risks of information resources under their control. The vice presidents of functional business areas may delegate this authority to the applicable executive sponsor. If this authority is delegated, notice to that effect must be in writing.
4. Ensuring that contractual agreements require all suppliers, contractors, vendors, and business partners to adhere to Postal Service information security policies.
5. Together with the CIO and CPO, approving the removal of portable electronic devices or media containing sensitive-enhanced or sensitive information from a Postal Service facility. (If this responsibility is delegated, the delegation of responsibility must be writing.)
8) Vice President, Engineering
The vice president, Engineering, is responsible for ensuring the security of information resources used in support of the MPE/MHE environment, including technology acquisition, development, and maintenance.
9) Vice President, Network Operations
The vice president, Network Operations, is responsible for the security of the mail and information resources used in support of MPE/MHE strategies and logistics.
10) Officers and Managers
All officers, business and line managers, and supervisors, regardless of functional area, are responsible for the following:
1. Implementing information security policies, ensuring compliance with information security policies by organizations and information resources under their direction, and invoking user sanctions as required.
2. Identifying sensitive information positions in their organizations and ensuring that personnel occupying sensitive positions hold the appropriate level of clearance.
3. Managing access authorizations and documenting information security responsibilities for all personnel under their supervision.
4. Ensuring all personnel under their supervision receive information security training commensurate with their responsibilities upon hire and annually thereafter, and maintaining auditable training records when there isn’t an automated system.
5. Ensuring all personnel under their supervision comply with Postal Service information security policies and procedures.
6. Including employee information security performance in performance evaluations.
7. Supervising information security responsibilities of their onsite contractor personnel.
8. Processing departing personnel appropriately and notifying the appropriate system and database administrators when personnel no longer require access to information resources.
9. Initiating a written request for message data content or Internet usage monitoring and sending it to the CPO for approval.
10. Approving or denying requests, by personnel under their supervision, for access to information resources beyond temporary information resource services and reviewing those access authorizations on a semiannual basis.
11. Ensuring that all hardware and software are obtained in accordance with official Postal Service processes.
12. Protecting information resources and ensuring their availability through business continuity activities including plans, procedures, off-site backups, periodic testing, workarounds, and training/cross-training essential and alternate personnel.
13. Ensuring that personnel under their supervision who remove a portable electronic device or media from a Postal Service facility are aware of their responsibility for its security and have a place to secure the device or media when it is not being used. Ensuring compliance with Postal Service information security policy and procedures.
14. Reporting suspected information security incidents to the Computer Incident Response Team (CIRT) immediately, protecting information resources at risk during security incidents, containing the incident, and following continuity plans for disruptive incidents
11) Executive Sponsors
Executive sponsors, as representatives of the vice president of the functional business area, are the business managers with oversight (e.g., funding, development, production, and maintenance) of the information resource and are responsible for the following:
1. Consulting with the CPO for determining information sensitivity and Privacy Act applicability.
2. Ensuring a business impact assessment (BIA) is conducted to determine the sensitivity and criticality of each information resource under his or her control and to determine the potential consequences of information resource unavailability.
3. Providing resources to ensure that security requirements are properly addressed and information resources are properly protected.
4. Ensuring completion of a site security review, if the facility hosts an information resource designated as sensitive-enhanced, sensitive, or critical.
5. Ensuring that contract personnel under their supervision comply with Postal Service information security policies and procedures.
6. Ensuring that all information security requirements are included in contracts and strategic alliances.
8. Appointing, in writing, an information systems security representative (ISSR).
9. Ensuring completion of security-related activities throughout the Information resource C&A life cycle.
10. Ensuring that information resources within their purview are capable of enforcing appropriate levels of information security services to ensure data integrity.
11. Preventing residual data from being exposed to unauthorized users as information resources are released or reallocated.
12. Authorizing access to the information resources under their control and reviewing those access authorizations on a semiannual basis.
13. Maintaining an accurate inventory of Postal Service information resources and coordinating hardware and software upgrades.
14. Ensuring appropriate funding for proposed business partner connectivity, including costs associated with the continued support for the life of the connection.
15. Initiating and complying with the network connectivity request requirements and process as documented in the Information Security Network Connectivity Process.
16. Notifying the NCRB when the business partner trading agreement ends or when network connectivity is no longer required.
17. On a semiannual basis, reviewing and validating business partner connectivity to the Postal Service intranet.
18. Funding application recovery (including but not limited to hardware/ software licenses required, continuity plan development, testing, and maintenance) for applications.
19. If the VP functional business area delegated this authority to the executive sponsor, the executive sponsor will work jointly with the VP IT (or the Business Relationship Management manager if this authority is delegated) to review the C&A documentation package, accept the residual risk to an application, and approve the application for production or return the application to the applicable life cycle phase for rework.
20. Reporting suspected information security incidents to the CIRT immediately, protecting information resources at risk during the security incident, containing the incident, and following continuity plans for disruptive incidents.
21. Coordinating the resolution of identified vulnerabilities with the appropriate IT organization (e.g., Computer Operations, Business Relationship Management, Solutions Development and Support, etc.).
12) Functional System Coordinators
The functional system coordinator (FSC) role is an ad hoc activity assigned by a data steward and is not a position or job function. An FSC has expert knowledge of the information resource and is familiar with the people and levels of access being requested. The FSC role may be required for all information resources registered in eAccess. The FSC role is restricted to Postal Service employees. An FSC is responsible for approving or denying a request based on the role or access level requested. If access to sensitive information is requested, the requestor must have a sensitive clearance. The FSC has the last level of approval before a request is sent to the log-on administrator to create the account, which will then become active.
13) Business Relationship Management Portfolio Managers
Business Relationship Management portfolio managers are responsible for the following:
1. Supporting the executive sponsor in the development of information resources and the C&A process, including the BIA, risk assessment, and business continuity plans.
2. If an ISSR has not been assigned by the executive sponsor, appointing an ISSR to perform security-related activities.
3. Providing coordination and support to executive sponsors and disaster recovery (DR) service providers for all matters relating to business continuity planning.
4. Reviewing the C&A documentation package and completing a risk mitigation plan for risks identified as high or medium. If a documented high or medium vulnerability will not be mitigated, preparing and signing a Risk Acceptance Letter as part of the C&A process.
5. Business Relationship Management portfolio managers are responsible for the following: If the VP IT delegated this authority to the Business Relationship Management portfolio manager, the Business Relationship Management portfolio managers will work jointly with the vice president of the functional business area (or the executive sponsor, if this authority is delegated) to review the C&A documentation package, accept the residual risk to an information resource, and approve the information resource for production or return the information resource to the applicable life-cycle phase for rework.
6. Ensuring that the information resource is registered in eAccess.
7. Accepting personal accountability for adverse consequences if the information resource was placed in production before the C&A process was completed.
8. Managing projects through their project managers who are responsible for the following:
- Developing and maintaining C&A documentation as required.
- Incorporating the appropriate security controls in all information resources. Ensuring that the information resource is entered in the Enterprise Information Repository (EIR) and updated as required.
- Filing C&A documentation in the IT Artifacts Library and maintaining the hard copies and electronic copies for the appropriate retention periods
9. Notifying the NCRB when the business partner trading agreement ends or when network connectivity is no longer required.
10. On a semiannual basis, reviewing and validating business partner connectivity to the Postal Service intranet.
11. Completing along with their staff the annual C&A training.
12. Resolving identified vulnerabilities.
14) Managers of Information Technology Solution Centers
The managers of Information Technology Solution Centers are responsible for the following:
1. Sponsoring information security and business continuity management programs and ensuring that financial, personnel, and physical resources are available for completing security and business continuity tasks.
2, Ensuring confidentiality, availability, and integrity of data.
3. Ensuring the protection and secure implementation of the Postal Service IT infrastructure.
4. Ensuring compliance with the information security C&A processes.
5. Together with the vice president of the functional business area, accepting, in writing, the residual risk of applications and approving deployment.
6. Together with the vice president of the functional business area, approving the removal of portable electronic devices or media containing sensitive-enhanced or sensitive information from a Postal Service facility. (If this responsibility is delegated, notice to that effect must be writing.)
7. Managing projects through their project managers who are responsible for the following:
- Incorporating the appropriate security controls in all information resources.
- Notifying the NCRB when the business partner trading agreement ends or when network connectivity is no longer required.
- On a semiannual basis, reviewing and validating business partner connectivity to the Postal Service intranet.
- Functioning as the incident management team leader for their facility.
- Identifying and training key technical personnel to provide support in business continuity planning for their facility, information resources housed in their facility, and the alternate DR facilities.
- Resolving identified vulnerabilities.
15) Installation Heads
Installation heads are in charge of Postal Service facilities or organizations, such as areas, districts, Post Offices, mail processing facilities, parts depots, vehicle maintenance facilities, computer service centres, or other installations. Installation heads are responsible for the following:
1. Designating a security control officer (SCO) who is responsible for personnel and physical security at that facility, including the physical protection of computer systems, equipment, and information located therein.
2. Implementing physical and environmental security support for information security, such as the protection of workstations, portable devices, and media containing sensitive-enhanced, sensitive, or critical information.
3. Controlling physical access to the facility, including the establishment and implementation of controlled areas, access lists, physical access control systems, and identification badges.
4. Funding building security equipment and security-related building modifications.
5. Maintaining an accurate inventory of Postal Service information resources at their facilities and implementing appropriate hardware security and configuration management.
6. Maintaining and upgrading all security investigative equipment, as necessary.
7. Ensuring completion of a site security review, providing assistance to the Inspection Service and CISO as required, and accepting site residual risk.
8. Ensuring that the Postal Service security policy, standards, and procedures are followed in all activities related to information resources (including procurement, development, and operation) at their facility.
9. Ensuring that all employees who use or are associated with the information resources in the facility are provided information security training commensurate with their responsibilities and take appropriate action in response to employees who violate established security policy or procedures.
10. Cooperating with the Inspection Service to ensure the physical protection of the network infrastructure located at the facility.
11. Developing, maintaining, and testing:
- Workgroup Recovery Plan required for each business function.
- Emergency Action Plans required for each facility to ensure personnel are safely evacuated and provides for the protection of the employees.
- Incident Management Facility Recovery Plan required for each major IT site.
- Disaster Recovery Plan (DRP) (business information systems disaster) documents required for each critical system that supports essential (core) business functions.
12. Implementing and managing the following plans and team members:
- Emergency Action Plan.
- Incident Management Facility Recovery Plan.
- Workgroup Recovery and “Beyond” Continuity of Operations(COOP) Plans.
- DRP (business information systems disaster) documents.
13. Reporting information security incidents to the CIRT immediately, containing the incident, following continuity plans for disruptive incidents, and assessing damage caused by the incident.
14. Resolving identified vulnerabilities.
16) Chief Privacy Officer
The CPO is responsible for the following:
1. Developing policy for defining information sensitivity and determining information sensitivity designations.
2. Providing guidance on privacy issues to ensure Postal Service compliance with the Privacy Act, the Freedom of Information Act, Gramm-Leach-Bliley Act, and Children’s Online Privacy Protection Act.
3. Developing privacy compliance standards, customer or employee privacy notices, and customer data collection standards, including cookies and Web-transfer notifications.
4. Developing appropriate data record retention, disposal, and release procedures and standards.
5. Approving requests for message data content or Internet usage monitoring.
6. Consulting on and reviewing the BIA and approving the determination of information sensitivity.
7. Providing guidance throughout the investigation of a mass data compromise relating to the privacy of customer and employee/contractor personal information.
8. Developing communications to transmit to impacted parties to amass data compromise.
17) Inspector General
The inspector general is responsible for the following:
1. Conducting independent financial audits and evaluation of the operation of the Postal Service to ensure that its assets and resources are fully protected.
2, Preventing, detecting, and reporting fraud, waste, and program abuse.
3. Investigating computer intrusions and attacks against Postal Service information resources per agreement with the Inspection Service.
4. Investigating the release or attempted release of malicious code onto Postal Service information resources.
5. Investigating the use of Postal Service information resources to attack external networks.
6. Promoting efficiency in the operation of the Postal Service.
7. Funding CISO investigative efforts outside of those normally required.
8. The manager, Technical Crimes Unit (TCU), is responsible for the following:
- Functioning as an ongoing liaison with the CIRT.
- Serving as a point of contact between the CIRT and law enforcement agencies.
- Conducting criminal investigations of attacks upon Postal Service networks and computers.
18) Manager, Business Continuance Management
The manager, Business Continuance Management, is responsible for the following:
1. Protecting the health and safety of Postal Service employees.
2. Ensuring the continuity of business, expediting recovery from a loss of a single critical system or a major disruption to business functions.
3. Reviewing and assessing Business Continuity Management (BCM) program plans.
4. Defining, planning, developing, implementing, managing, assuring the testing and exercising, and monitoring for compliance of a sustainable BCM program for the Postal Service.
5. Ensuring appropriate Business Continuity Plans (BCPs) are developed, tested, and exercised for business functions and information technology services.
6. Ensuring appropriate DRP documents are developed and business information systems are tested for all critical and business functions and services.
7. Certifying all DRP test and BCP exercise.
8. Developing and implementing lines of communication to the IT organization about BCM matters.
9. Promoting BCM awareness and providing training for Postal Service personnel.
10.Ensuring compliance with BCM and information security policies.
11. Establishing a BCM policy and strategy.
19) Manager, Telecommunications Services
The manager, Telecommunications Services (TS), is responsible for the following:
1. Implementing and maintaining operational information security throughout the network infrastructure including timely security patch management. Critical security patches for PCI-related information resources must be installed within 30 days of release.
2. Recommending and deploying network hardware and software based on the Postal Service security architecture.
3. Operational monitoring and tracking of all physical connections between any component of the Postal Service telecommunications infrastructure and any associated information resource not under Postal Service control.
4.Implementing security controls and processes to safeguard the availability and integrity of the Postal Service intranet including physical access to network infrastructure and the confidentiality of sensitive enhanced and sensitive information.
5.Implementing the network perimeter firewalls, demilitarized zones, secure enclaves, and proxy servers.
6. Designating TS representative to the NCRB.
7.Ensuring secure and appropriate connectivity to the Postal Service intranet.
8. Ensuring network services and protocols used by Postal Service information resources provide the appropriate level of security for the Postal Service intranet and the information transmitted.
9. Implementing secure methods of remote access and appropriate remote access controls.
10. Implementing two-factor authentication and the associated infrastructure for network management.
11. Implementing only Postal Service-approved encryption technology.
12. Implementing appropriate network security administration and managing accounts appropriately.
13. Maintaining the integrity of data and network information resources.
14. Supporting the implementation of approved security incident detection and prevention technologies (e.g., virus scanning, intrusion detection systems, and intrusion prevention systems) throughout the perimeter.
15.Maintaining an accurate inventory of Postal Service network information resources.
16.Monitoring network security alerts and logs and providing network security audit logs to the CISO ISS.
17.Ensuring that recovery plans and sufficient capacity are in place for the recovery of the telecommunications infrastructure for the IT-supported Postal Service sites.
18. Identifying and training key technical personnel to provide support in BCM for information resources housed in IT-supported Postal Service sites.
19. Monitoring network traffic for anomalies, conducting perimeter scanning for viruses, malicious code, and usage of nonstandard network protocols, and immediately reporting suspected information security incidents to the CIRT.
20. Protecting information resources at risk during security incidents (if feasible) and providing support for CIRT incident containment and response.
21. Approving all wireless technology before any implementation activities are initiated.
22. Implementing and managing wireless local area network connectivity.
23. Detecting unauthorized access points.
24. Resolving identified vulnerabilities.
20) Managers Responsible for Computing Operations
The managers responsible for computing operations are responsible for the following:
1. Implementing information security policies, procedures, and standards and ensuring compliance.
2. Coordinating and implementing standard platform configurations based on the Postal Service security architecture.
3. Creating and maintaining a timely patch management process and deploying patches to resources under their control. Critical security patches for PCI-related information resources must be installed within 30 days of release.
4. Maintaining an accurate inventory of Postal Service information resources, tracking and reacting to security vulnerability alerts, coordinating hardware and software upgrades, and maintaining appropriate records.
5. Deploying and maintaining anti-virus software and recognition patterns to scan for malicious code and usage of nonstandard network protocols.
6. Supporting the C&A process for internally managed information resources.
7. Ensuring that remote access is appropriately managed.
8. Implementing appropriate security administration and ensuring that accounts are managed appropriately.
9. Maintaining the integrity of data and information resources and ensuring the appropriate level of information resource availability.
10. Ensuring the installation of the authorized internal warning banner
11. Disseminating security awareness and warning advisories to local users.
12Reporting suspected information security incidents to the CIRT immediately, protecting information resources at risk during security incidents, implementing containment, and assisting in restoring information resources following an attack.
13. Resolving identified vulnerabilities.
21) Manager, Corporate Information Security Office, Information Systems Security
The manager, CISO ISS is responsible for the following:
1. Determining the requirements and standards for secure enclaves.
2. Assessing information resources to determine the need for placement in a secure enclave.
3. Recommending and approving standard configurations and hardening standards for Postal Service information resources.
4. Approving two-factor authentication (e.g., digital certificates, digital signatures, biometrics, smart cards, and tokens) and the associated infrastructure for network management.
5. Approving and managing intrusion detection systems and intrusion prevention systems.
6. Approving, managing, and ensuring appropriate perimeter penetration testing and network vulnerability scans and testing.
7. Providing support to the OIG during the conduct of investigative activities concerning information security, the computing infrastructures, and network intrusion as requested.
8. Approving the use of networking monitoring tools, except those used by the OIG.
9. Providing support to the chief postal inspector during his or her conduct of site security reviews as requested.
10. Conducting monitoring and surveillance activities.
11. Collecting, correlating, and reviewing all Postal Service security audit log files and security alerts.
12. Reviewing information security policy and processes for MPE/MHE.
13. Developing and maintaining an information security architecture and coordinating a secure Postal Service computing infrastructure by setting standards and developing the security processes and procedures.
14. Removing network connectivity from any computing device that does not meet the defined operating system and anti-virus software and recognition pattern thresholds.
15. Managing the NCRB to control connectivity to the Postal Service computing infrastructure.
16. Designating the chairperson of the NCRB and additional ISS representatives to the NCRB, as required.
17. The NCRB is responsible for the following:
- Managing the Postal Service network connectivity process through the implementation of the Information Security Network Connectivity Process.
- Developing system connectivity requirements for Postal Service connections to external systems, externally facing information resources (e.g., FTP servers), and connections via the Internet to Postal Service development, production, and internal networks.
- Developing standard connectivity and documentation criteria to expedite approval of connectivity requests without additional board action.
- Requesting additional information, security reviews, or audits about proposed or approved connections, if deemed necessary.
- Evaluating connectivity and firewall change requests and approving or rejecting them based upon existing policy, best practices, and the level of risk associated with the request.
- Consulting with executive sponsors on network information security requirements.
- Assisting the requester in identifying alternative solutions for denied requests that are acceptable to the requester and the Postal Service.
- Reviewing new information resource, infrastructure, and network connections and their effects on overall Postal Service operations and information security.
- Recommending and approving network services and protocols.
- Recommending changes to the business partner network. In situations where high-risk factors exist, issuing mitigating requirements for connectivity.
18. Ordering the disabling of an information resource or network connection that does not comply with Postal Service policies, procedures, and standards or which is found to pose a significantly greater risk than when originally assessed.
19, Managing the CIRT to help the Postal Service contain, eradicate, document, and recover following a computer security incident and return to a normal operating state.
20. The CIRT is responsible for the following:
- Providing an immediate and effective response to computer security incidents as they occur.
- Working with an organization to contain, eradicate, document, and recover following a computer security incident.
- Engaging other Postal Service organizations including, but not limited to, the OIG and Inspection Service.
- Escalating information security issues to executive management as required.
- Conducting a post-incident analysis, where appropriate, and recommending preventive actions.
- Maintaining a repository for documenting, analyzing, and tracking Postal Service security incidents until they are closed.
- Interfacing with other governmental agencies and private-sector computer incident response centers.
- Participating in and providing lesson learned information from information security incidents into ongoing information security awareness and training programs.
- Developing and documenting processes for incident reporting and management.
- Providing support to the OIG and the Inspection Service, as requested.
- Designating an information security policy and process program manager who is responsible for establishing, documenting, and disseminating information security policies, standards, and processes.
22) Managers, Help Desks
The managers, Help Desks, are responsible for the following:
1. Creating the entry for the problem tracking management system for security incidents reported to the Help Desks.
2. Providing technical assistance for responding to suspected virus incidents reported to the Help Desks.
3. Escalating unresolved suspected virus events to the CIRT.
23) Contracting Officers and Contracting Officer Representatives
Contracting officers and contracting officer representatives are responsible for the following:
1. Ensuring that information technology suppliers, contractors, vendors, and business partners are contractually obligated to abide by Postal Service information security policies, standards, and procedures.
2. Thoroughly vetting service providers for PCI services prior to engagement that includes a risk analysis and documentation to reflect due diligence to the PCI assessor.
3. Updating the PCI Program Management Office (PMO) with status information on service providers for the PCI environment.
4. Verifying that information technology suppliers, vendors, and business partners responsible for storing, processing, or transmitting Postal Service payment card information complete an annual Letter of Attestation providing an acknowledgement of their responsibility for the security of payment card data, under the current PCI DSS.
5. Monitoring service provider PCI compliance at least annually.
6. Verifying that all contracts and business agreements requiring access to Postal Service information resources identify sensitive positions, specify the clearance levels required for the work, and address appropriate security requirements.
7. Verifying that contracts and business agreements allow monitoring and auditing of any information resource project.
8. Verifying that the security provisions of the contract and business agreements are met.
9.Confirming the employment status and clearance of all contractors who request access to information resources.
10. Verifying all account references, building access, and other privileges are removed for contractor personnel when they are transferred or terminated.
11. Notifying the CIRT of any security breaches reported to them by the service providers.
24) General Counsel
The general counsel is responsible for the following:
1. Ensuring that information technology contractors, vendors, and business partners are contractually obligated to abide by Postal Service information security policies, standards, and procedures.
2. Ensuring that contracts and agreements allow monitoring and auditing of Postal Service information resource projects.
25) Business Partners
Business partners may request connectivity to Postal Service network facilities for legitimate business needs. Business partners requesting or using connectivity to Postal Service network facilities are responsible for the following:
1. Initiating a request for connectivity to the Postal Service executive who sponsors the request.
2. Complying with Postal Service network connectivity request requirements and process.
3. Abiding by Postal Service information security policies regardless of where the systems are located or who operates them. This also includes strategic alliances.
4. Protecting information resources at risk during security incidents, if feasible.
5. Reporting information security incidents immediately to the CIRT, the executive sponsor, and the information systems security officer (ISSO) assigned to their project.
6. Taking action, as directed by the CIRT, to eradicate the incident, recover from it, and document actions regarding the security incident.
7. Allowing site security reviews by the Postal Inspection Service and CISO.
8. Allowing audits by the OIG.
The manager, CISO, functions as the accreditor and is responsible for the following:
1. Reviewing the risk mitigation plan and supporting C&A documentation package together with business requirements and relevant Postal Service issues.
2. Escalating security concerns or preparing and signing an accreditation letter that makes one of the following recommendations: accepting the information resource with its existing information security controls, requiring additional security controls with a timeline to implement, or deferring deployment until information security requirements can be met.
3. Forwarding the accreditation letter and C&A documentation package to the Business Relationship Management manager and executive sponsor.
The manager, Security Certification and Accreditation Process, who is appointed by the manager, CISO, functions as the certifier and is responsible for the following:
1. Managing and providing guidance to the ISSOs.
2. Reviewing the C&A evaluation report and the supporting C&A documentation package.
3. Escalating security concerns or preparing and signing a certification letter.
4. Forwarding the certification letter and C&A documentation package to the accreditor.
5. Maintaining an inventory of all information resources that have completed the C&A process.
28) Security Control Officers
SCOs ensure the general security of the facilities to which they are appointed, including the safety of on-duty personnel and the security of mail, Postal Service funds, property, and records entrusted to them . SCOs are responsible for the following:
1. Establishing and maintaining overall physical and environmental security at the facility, with technical guidance from the Inspection Service.
2. Establishing controlled areas within the facility, where required, to protect information resources designated as sensitive-enhanced, sensitive, or critical.
3. Establishing and maintaining access control lists of people who are authorized access to specific controlled areas within the facility.
4. Ensuring positive identification and control of all personnel and visitors in the facility.
5. Ensuring the protection of servers, workstations, portable devices, and information located at the facility.
6. Consulting on the facility COOP plans.
7. Conducting annual facility security reviews using the site security survey provided by the Inspection Service.
8. Reporting suspected information security incidents to the CIRT and providing support for incident containment and response, as requested.
9. Responding to physical security incidents and reporting physical security incidents to the Inspection Service.
10. Interfacing with CIRT, Inspection Service, CISO, or OIG, as required.
29) Information Systems Security Representatives
ISSRs are appointed in writing by the executive sponsors or the Business Relationship Management portfolio manager and are members of the information resource development or integration teams. The role of the ISSR can be performed in conjunction with other assigned duties. If an ISSR is not assigned, the project manager assumes the role. ISSRs are responsible for the following:
1.Providing support to the executive sponsor and Business Relationship Management portfolio manager, as required.
2. Promoting information security awareness on the project team.
3. Ensuring security controls and processes are implemented.
4. Notifying the executive sponsor, Business Relationship Management portfolio manager, and ISSO of any additional security risks or concerns that emerge during development or acquisition of the information resource.
5. Developing or reviewing security-related documents required by the C&A process as assigned by the executive sponsor or Business Relationship Management portfolio manager.
6. Working with the ISSO to complete the eC&A artifacts in the eC&A system and sending other required artifacts (e.g., TAD, operational training, etc.) or their location (i.e., URL) to the ISSO.
30) Information Systems Security Officers
ISSOs are responsible for the following:
1. Chairing the C&A team.
2. Ensuring that a BIA is completed for each information resource.
3. Ensuring that the responsible project manager records the sensitivity and criticality designations in EIR.
4. Advising and consulting with executive sponsors, Business Relationship Management portfolio managers, and ISSRs during the BIA process so they know the background for
- baseline security requirements that apply to all information resources and
- Recommending security requirements to executive sponsors and Business Relationship Management portfolio managers during the BIA process, based on generally accepted industry practices and the risks associated with the information resource.
5. Providing guidance on how information resources are vulnerable to threats, what controls and countermeasures are appropriate, and the C&A process.
6. Conducting site security reviews or helping the Inspection Service conduct them.
7. Reviewing the C&A documentation package.
8. Preparing and signing the C&A evaluation report and forwarding the evaluation report and C&A documentation to the certifier.
31) System and Network Administrators
System and network administrators are technical personnel who serve as computer systems, network, server, and firewall administrators, whether the system management function is centralized, distributed, subcontracted, or outsourced. System and network administrators are responsible for the following:
1.Implementing information security policies and procedures for all information resources under their control, and also for monitoring the implementation for proper functioning of security mechanisms.
2. Implementing appropriate platform security based on the platform specific hardening standards for the information resources under their control.
3. Complying with standard configuration settings, services, protocols, and change control procedures.
4. Applying approved patches and modifications in accordance with policies and procedures established by the Postal Service. Ensuring that security patches and bug fixes are kept current for resources under their control.
5. Implementing appropriate security administration and ensuring that log-on IDs are unique.
6. Setting up and managing accounts for information resources under their control in accordance with policies and procedures established by the Postal Service.
7. Disabling accounts of personnel whose employment has been terminated, who have been transferred, or whose accounts have been inactive for an extended period of time.
8. Making the final disposition (e.g., deletion) of the accounts and the information stored under those accounts.
9. Managing sessions and authentication and implementing account time-outs.
10. Preventing residual data from being exposed to unauthorized users as information resources are released or reallocated.
11. Testing information resources to ensure security mechanisms are functioning properly.
12. Tracking hardware and software vulnerabilities.
13. Maintaining an accurate inventory of Postal Service information resources under their control.
14. Ensuring that audit and operational logs, as appropriate for the specific platform, are implemented, monitored, protected from unauthorized disclosure or modification, and are retained for the time period specified by Postal Service security policy.
15. Reviewing audit and operational logs and maintaining records of the reviews.
16. Identifying anomalies and possible internal and external attacks on Postal Service information resources.
17.Reporting information security incidents and anomalies to their manager and the CIRT immediately upon detecting or receiving notice of a security incident.
18. Protecting information resources at risk during security incidents, assisting in the containment of security incidents as required, and taking action as directed by the CIRT.
19. Participating in follow-up calls with the CIRT and fixing issues identified following an incident.
20. Ensuring that virus protection software and signature files are updated and kept current for resources under their control.
21. Ensuring the availability of information resources by implementing backup and recovery procedures.
22. Ensuring compliance with Postal Service information security policy and procedures.
23. Monitoring the implementation of network security mechanisms to ensure that they are functioning properly and are in compliance with established security policies.
24. Maintaining a record of all monitoring activities for information resources under their control.
25. Assisting with periodic reviews, audits, troubleshooting, and investigations, as requested.
26. Resolving identified vulnerabilities.
32) Database Administrators
Database administrators (DBAs) are responsible for the following:
1.Implementing appropriate database security based on the platform-specific hardening standards for the information resources under their control.
2. Implementing information security policies and procedures for all database platforms and monitoring the implementation of database security mechanisms to ensure that they are functioning properly and are in compliance with established policies.
3. Applying approved patches and modifications, in accordance with policies and procedures established by the Postal Service.
4. Maintaining an accurate inventory of Postal Service information resources under their control.
I5. Implementing appropriate database security administration and ensuring that log-on IDs are unique.
6. Setting up and managing accounts for systems under their control in accordance with policies and procedures established by the Postal Service.
7. Disabling accounts of personnel that has been terminated, transferred, or have accounts that have been inactive for an extended period of time.
8. Making the final disposition (e.g., deletion) of the accounts and the information stored under those accounts.
9. Managing sessions and authentication and implementing account time-outs.
10.Preventing residual data from exposure to unauthorized users as information resources are released or reallocated.
11.Testing database software to ensure that security mechanisms are functioning properly.
12.Tracking database software vulnerabilities, and deploying database security patches.
13.Ensuring database logs are turned on, logging appropriate information, protected from unauthorized disclosure or modification, and retained for the time period specified.
13.Reviewing database audit logs and maintaining records of log reviews.
14.Assisting with periodic reviews, audits, troubleshooting, and investigations, as requested.
15.Ensuring the availability of databases by implementing database backup and recovery procedures.
16. Identifying anomalies and possible attacks on Postal Service information resources.
17. Reporting information security incidents and anomalies to their manager and the CIRT immediately upon detecting or receiving notice of a security incident.
18.Protecting information resources at risk during security incidents, assisting in the containment of security incidents as required, and taking action as directed by the CIRT.
19. Resolving identified vulnerabilities.
33) All Personnel
All personnel, including employees, suppliers, consultants, contractors, business partners, customers who access nonpublicly available Postal Service information resources (e.g., mainframes or the internal Postal Service network), and other authorized users of Postal Service information resources are responsible for the following:
1.Complying with applicable laws, regulations, and Postal Service information security policies, standards, and procedures.
2. Displaying proper identification while in any facility that provides access to Postal Service information resources.
3.Being aware of their physical surroundings, including weaknesses in physical security and the presence of any authorized or unauthorized visitor.
4.Protecting information resources, including workstations, portable devices, information, and media.
5. Always using their physical and technology electromechanical access control identification badge or device to gain entrance to a controlled area.
6.Ensuring no one tailgates into a controlled area on their badge.
7.Performing the security functions and duties associated with their job, including the safeguarding of their log-on IDs and passwords.
8.Changing their password immediately, if they suspect that the password has been compromised.
9.Prohibiting any use of their accounts, log-on IDs, passwords, personal information numbers (PINs), and tokens by another individual.
10.Taking immediate action to protect the information resources at risk upon discovering a security deficiency or violation.
11.Only using licensed and approved hardware and software.
12.Protecting intellectual property.
13.Complying with Postal Service remote access information security policies, including those for virtual private networks, modem access, dial-in access, secure telecommuting, and remote management and maintenance.
14.Complying with acceptable use policies.
15. Maintaining an accurate inventory of information resources for which they are responsible.
16.Protecting information resources against viruses and malicious code.
17.Calling the appropriate Help Desk for technical assistance in response to suspected virus incidents.
18. Immediately reporting to the CIRT via telephone or email and, as appropriate, to their immediate supervisor, manager, or system administrator, any suspected security incidents, including security violations or suspicious actions, suspicion or occurrence of any fraudulent activity; unauthorized disclosure, modification, misuse, or inappropriate disposal of Postal Service information; and potentially dangerous activities or conditions.
19.Taking action, as directed by the CIRT, to protect against information security incidents, to contain and eradicate them when they occur, and to recover from them.
20. Documenting all conversations and actions regarding the security incident and completing PS Form 1360, Information Security Incident Report, or an acceptable facsimile. If an individual removes a portable electronic device from a Postal Service facility, he or she must do the following:
- If the device contains sensitive-enhanced or sensitive information, request approval in writing from his or her functional area vice president (data steward), CPO, and the VP IT Operations or their designees.
- Reporting any missing or stolen device or media immediately to his or her manager, the CIRT via e-mail to firstname.lastname@example.org, and to the local Inspection Service office. If the device has been stolen somewhere other than Postal Service premises, report the theft to the local police as well.
———————————End of example———————————————
If you need assistance or have any doubt and need to ask any questions contact me at email@example.com. You can also contribute to this discussion and I shall be happy to publish them. Your comments and suggestion are also welcome.