Information security department regulations
Protecting confidential data is one of the top priorities for the management of any enterprise. In order to keep important information safe, you need to create a special structural unit that will deal with these issues. In turn, to create such a unit, it is required to develop statutory documentation that regulates its work and gives the employees of this unit certain powers. The key document is called the regulation on the work of the information security department.
The content of the statement depends on what functions the organization performs and how important information needs to be protected. So, for example, the position of a bank will differ significantly from a similar document of a state non-profit organization. However, the general structure of the regulation is common to all types of organizations. You can use it as a basis by adding the necessary paragraphs and sections.
An example of such a structure can be seen below.
1.1. The Information Security Department (hereinafter referred to as the Department) is a separate structural unit of the organization. It is formed, restructured and liquidated by order of the management of the organization (director or other authorized person).
1.2. The department is subordinate to the immediate superior, who is appointed to this position by the head of the organization. In his absence, the management is carried out by the deputy chief or another authorized person. The superior head of the Department is the head of the organization.
1.3. The work of the information security service is built in accordance with the requirements of legislation and other regulatory legal acts, including the statutory documentation of the organization.
1.4. The duties of the information protection service employees, their powers and the degree of responsibility for the safety of the organization's information resources are determined by this provision, the organization's statutory documentation, the terms of the employment contract and job descriptions.
1.5. The department interacts with other structural divisions of the organization within its competence.
Aims, tasks and functions of the Department
2.1. The purpose of the Department's work is to ensure the protection of the organization's information resources from intentional and unintentional disclosure, loss, distortion, and theft.
2.2. The tasks of the Department include the development and implementation of a security system, as well as monitoring its work and analyzing the effectiveness of the used information protection tools.
2.3. The list of functions of the information security service includes:
- development of an integrated security system, including the use of a variety of methods and ways to protect confidential information from intentional and unintentional disclosure, loss, distortion, theft;
- implementation of the confidentiality regime and control over its observance;
- interaction with counterparties, ensuring the confidentiality of data transmission and information communicated to partners in the process of open negotiations;
- development of documents prescribing the observance of the confidentiality regime by the staff of the organization and seconded workers;
- assessment of the effectiveness of the implemented system for protecting the organization's information resources from intentional and unintentional disclosure, loss, distortion, theft;
- certification of employees with the subsequent assignment of the necessary degree of admission to reading and using confidential information;
- drawing up acts of inspection of machinery, equipment, premises for their compliance with safety requirements;
- other functions, the implementation of which will contribute to the implementation of the goals and objectives of the work of the Division.
3.1. Employees of the Department are hired in accordance with the staffing table established by the personnel department and agreed with the higher management of the organization. The staffing table is developed in accordance with the goals and objectives of the structural unit.
3.2. The list of specialists who may be employees of the Department includes information security engineers and technicians, programmers, system administrators, and other specialists who are responsible for performing certain information security functions.
3.3. The responsibilities of the information security service employees are determined by the immediate head of the Department.
Rights and obligations
4.1. The Information Security Service is authorized to:
- monitor the work of all employees of the organization and monitor compliance with the confidentiality regime introduced in the organization;
- use information for official use, request it from employees of other structural divisions of the organization;
- interact with executive, legislative and judicial authorities to resolve legal issues related to the functions of the service;
- take all necessary measures to ensure the protection of confidential information;
- involve third-party specialists for the development, implementation and analysis of the effectiveness of the system for protecting confidential information;
- give instructions to employees of other structural divisions of the organization on issues within the competence of the service;
- conduct internal official investigations upon discovering the facts of intentional or unintentional disclosure, loss, distortion, theft of confidential information;
- carry out other actions stipulated by job descriptions and aimed at achieving the goals and objectives of the service.
4.2. The duties of the head of the information protection service include:
- distribute tasks between subordinates in accordance with their specialization, control the speed and quality of their implementation;
- participate in the recruitment process;
- develop projects to improve the system for protecting confidential information;
- organize training for employees of the information security department and employees of other structural divisions of the organization;
- establish the procedure for repair work aimed at the earliest possible restoration of the information protection system in the event of technical failures or accidents;
- coordinate the interaction of employees of the information protection service with employees of other structural divisions of the organization.
4.3. Information security service employees are obliged to:
- monitor the work of all employees of the organization and monitor compliance with the confidentiality regime;
- to prevent intentional or unintentional disclosure, loss, distortion, theft of confidential information by instructing the organization's employees;
- participate in the development of a comprehensive system for protecting confidential information;
- periodically check the training logs and equipment of the organization;
- conduct certification of all employees of the organization, check their knowledge in the field of existing methods of preventive protection of confidential information;
- perform other work aimed at realizing the goals and objectives of the information security service.
Relationship of the Department with other structural divisions of the organization
The information protection service, within its competence, interacts with:
5.1. Personnel department (to participate in interviews with applicants for positions that provide for admission to confidential information, reflecting the results of certification and information on revealed violations of confidentiality in personal files, studying the personal files of employees of the organization).
5.2. Accounting department (to provide information on benefits and allowances provided for employees with access to confidential information, to obtain information on the expenditure of the wage fund and other data necessary for the work of the information security service).
5.3. Financial service (to provide planning documentation related to the purchase of the necessary equipment).
5.4. The Legal Department (for the timely study of changes in legislation related to the protection of information, as well as for the application of legally justified penalties for violation of the confidentiality regime).
5.5. Other structural units (to coordinate their work and ensure the required level of protection of confidential information).
6.1. The responsibility for protecting the organization's information resources from intentional or unintentional disclosure, loss, distortion and theft lies with the head of the Department.
6.2. The responsibility of employees of the information protection service is determined by their job descriptions.