Information security department structure
In order to ensure the protection of information at the enterprise, it is not enough to entrust the function of ensuring information security to a specialist from the IT department. It is necessary to create a separate department or department of information security.
Information security department and its main tasks
Information security management is understood as a separate structural unit, the main function of which is to protect the information resources of the enterprise.
- organize comprehensive protection of information resources;
- coordinate security work;
- monitor compliance with the security measures taken by personnel;
- evaluate the effectiveness of information security methods;
- prepare documents on data protection at all levels;
- implement data protection tools and ensure their correct operation;
- administer information systems.
The tasks of information security departments may differ depending on:
- existing threats;
- management's attitude to the organization of the protection of confidential data;
- the role of information systems in business processes;
- tasks of the IT department;
- the amount of funding for information security from the management.
For small businesses, one data protection officer is sufficient. Some business owners prefer to attract outside specialists with a sufficient level of knowledge and work experience.
Information security service at the enterprise
Some executives are in no hurry to create a separate structural unit to ensure information security. And they load the programmers with additional work or hire a specialist to help them. The return on such cooperation will be minimal. It is necessary to understand that the work of a system administrator and an information security specialist are completely different, albeit interconnected, areas. Data protection includes not only the safety of systems and databases, but also work with personnel, restricting access to the territory, physical security, ensuring a comfortable psychological climate and much more.
The sysadmin has his own responsibilities. Protection of information, the introduction of data protection tools will not be his priority. Yes, and these tasks may simply not have enough time.
You can hire an information security officer in the "security guards" department. But then the problem may become a misunderstanding between the head of this department and his subordinates. Most often, the people involved in the security of the facility are far from technology and computer development.
The service that ensures the safety of classified information should closely cooperate with the programmers and the security service of the enterprise (meaning the physical protection of premises, territory and employees). But employees of the information security department should report directly to the head of the company or one of his deputies. Only in this way will it be possible to achieve maximum efficiency in work.
How to find employees
It is not enough to create a structural unit and introduce new positions in the staffing table. We also need to find professionals to fill vacancies. You can retrain existing IT specialists. This has already been mentioned in the text - such a decision is inappropriate. But it is better not to distract employees from their main work and load them with additional responsibilities. And to recruit a new staff. Or, for starters, at least one specialist.
He should know:
- legal basis for data protection;
- information security basics (theory, methods, tools);
- IS audit;
- fundamentals of cryptography.
Documentary support (instructions, rules for working with certain services, development of a security policy, etc.) also belongs to the responsibilities of the department or information security specialist.
A good information security specialist is rare. And the position of the head of the department requires a person not only with the necessary knowledge, but also with experience in managing people.
Therefore, outsourcing is popular, when a third-party organization that specializes in this area is engaged in ensuring the security of confidential information.
Functions of information security management employees
The functional responsibilities of information security management employees can be conditionally divided into several groups:
- formation and documentary support of information security policy;
- development, implementation of information security tools;
- administration of information systems, installation of security software, generation of passwords, etc .;
- control of the import and export of materials, finished products, documents;
- control of compliance with the requirements for the protection of confidential information;
- protection of the territory and personnel;
- audit, including cooperation with third parties;
- verification of compliance with the work schedule and internal regulations;
- organization of access control;
- interaction with law enforcement agencies.
The main responsibilities of information technology security specialists:
- development and implementation of a unified information security policy, control of its implementation;
- organization of secure workflow using cryptography;
- implementation of information security measures at each workplace in the head office and branches of the enterprise, subordinate divisions, subsidiaries;
- prevention and detection of data leaks and other threats;
- neutralization of cyber attacks;
- creating a comfortable psychological climate among staff, motivating people to fulfill the requirements of the information security service.
The list of functions and responsibilities of the information security service clearly shows how the work of a security officer differs from the work of a programmer or security service.
Difficulties in the work of the information security department
The main problem is the lack of understanding by the management of the importance of work to ensure information security. It is quite difficult to obtain funding for projects, since security and IT specialists speak different languages with ordinary people.
Management does not bring direct profit to the company; it works towards minimizing losses. It can be difficult to assess the productivity of specialists.
The company's management must clearly understand that the work of the information security service allows you to save money that can be lost as a result of hacker attacks, the spread of classified information, the loss of valuable personnel, revenge of offended employees, etc.
The responsibilities of the management ensuring the information security of the enterprise include training all personnel in the basics of information protection in the performance of their official duties. And control over the implementation of the established rules. One specialist and even an entire department cannot do anything without successful interaction with all parts of the organization.
Information security specialists are, first of all, auditors, organizers, coordinators - in a word, managers, not executors. Information security professionals are not cheap for an enterprise. But it makes no sense to close the vacancy by an incompetent employee, just so that if something happens, “hang all the dogs” on him. It is also necessary to understand that information security should be ensured not by employees of the same department, but by all personnel of the enterprise.