The institution establishes an information security management framework which defines the main procedures, duties and responsibilities in this domain.
Guideline code
ICT_03600
Mechanism
Mechanism
- In elaborating the framework to protect data and reduce security risks, the ICT unit should:
- Include an inventory of information assets, specifying the respective owners;
- Take into account all possible ICT service scenarios applicable to the institution (e.g. internal services, outsourced services, internal and external access to information, etc.);
- Establish information security policies and protocols to govern interaction between human resources and institutional data, emphasizing security prior to, during and following termination of employment. These protocols should apply to all staff: internal, external consultants, contractors and temporary staff;
- Establish physical security measures for the platforms storing institutional data;
- Develop business impact analysis and contingency management plans, including information technology business continuity and disaster recovery plans.
- The management should communicate the scope of the framework throughout the institution.
Parent
Structure
Structure
- The board and management should establish a policy on the adoption of a systematic, clear and effective approach for the management of information security.
- The board and management should commission the ICT unit to design a management framework for information security which defines procedures and specifies related duties and responsibilities.
- The board and management may establish specialized structures to manage information security processes within the institution, with well-defined and documented roles and responsibilities to ensure their accountability.
- The contracts administration office should include these internal regulations and specifications in requests for proposals, contract documents and service level agreements.
- The framework for information security management should follow the international standard ISO/IEC 27002:2005 Information technology – Security techniques.
Title HTML
Guideline 27. Management framework for information security
Type
Guideline_1
Weight
39