Regulations on information security service
To ensure the safety of confidential data and prevent its leakage, a special structural unit must be created at the enterprise. Its work should be regulated by a special document, an example of which can be studied below.
1.1. The Information Security Service (ISS) is part of the structural unit [...] and / or is included in the structure [...].
1.2. ISS organizes its activities in accordance with the goals and objectives set out in the company's charter.
1.3. The job description of ISS employees is established in accordance with the terms of the concluded labor contract.
1.4. In organizing its functioning, the ISS acts in accordance with the legislative acts of the Russian Federation, the statutory standards of the company and the current regulation on the information security department.
1.5. ISS is subordinate to the top management of the company (indicate the position of the general manager of the organization).
2.1. Carrying out activities and monitoring the actions of all divisions of the enterprise to organize a complex of protection of information resources.
2.2. Coordination and evaluation of the effectiveness of measures taken and implemented methods of protecting digital data in the enterprise.
Objectives of the ISS
3.1. The main purpose of the ISS is to ensure data protection against malicious threats, both intentional and unintentional, as well as to maintain the integrity of the enterprise as a manufacturer of goods and services for various types of customers.
4.1. The ISS is headed by an appointed leader who is dismissed from his previous position.
4.2. A person with a suitable qualification level can be appointed to the position of the head of the ISS.
4.3. The composition, job descriptions and staffing table of the ISS are approved [...].
4.4. During the absence he is appointed as the deputy head of the ISS [...].
The structure of the ISS consists of groups of experts: programmers, information security specialists, electronics engineers, technicians and technologists responsible for various areas (data monitoring; assignment of requirements for the protection of operating systems of the company's computer technology; choice of methods and means of information protection; creation of methodological, regulatory and statutory documentation on how to ensure data protection; implementation of a database administration system).
5.1. Management of all activities aimed at ensuring data protection.
5.2. Development and submission of proposals for the functioning of the ISS.
5.3. The choice of methods and means of protecting digital data.
5.4. Control over observance of secrecy during telephone conversations, personal conversations and meetings at the enterprise.
5.5. Control over encryption keys and electronic signatures.
5.6. Participation in official investigations related to data protection violations.
5.7. Strict compliance with the legal requirements for the preservation of trade secrets and other important data of the enterprise.
5.8. Control over an integrated approach in the choice of equipment, methods and actions of an organizational nature aimed at ensuring the safety of storing confidential data.
5.9. Setting goals and solving issues for the introduction of the latest secure electronic technologies that will meet the latest requirements in the complex of information security tools.
5.10. Conducting inspections and audits related to the organization's information security.
Powers and obligations of the ISS
6.1. To carry out its activities, the ISS, represented by the Head, has the following powers:
- create, issue orders and instructions, binding on all ISS employees;
- monitor the performance of official duties of all ISS employees;
- attend meetings and commissions on the activities of ISS employees;
- submit petitions for the removal from office of employees in accordance with the labor code of the Russian Federation.
6.2. For the successful functioning of the ISS, the head of the department must:
- be able to develop schemes, methods and technologies related to the activities of the ISS;
- control the interaction of department employees with other structural divisions of the enterprise;
- report monthly on the work done to the top management of the company.
6.3. To achieve the goals assigned by the ISS, employees have the following powers:
- monitor the observance and implementation by the employees of the organization and partners of the legislation related to the observance of commercial secrets;
- develop and implement information security systems.
Department employees undertake:
- react in case of violation of the rules specified in the statutory documents on information security or the implementation of actions leading to a violation of these rules;
- prevent the dissemination of information by ISS employees in their personal interests;
- ensure the integrity of incoming and authenticity of outgoing information;
- monitor the activities of employees to resume the work process in the organization;
- investigate the facts of violation of information protection.
6.4. The IS Department, represented by its Head, guarantees the monthly implementation of the organization's work plan. The head of the department monitors compliance with certain requirements for the work of the subordinate structural unit of the organization.
Cooperation with other departments of the organization
7.1. ISS cooperates with all structural units and departments in order to ensure information security, such as:
|HR department||Labor Organization Department||Financial department||Legal Department|
|to access the personal files of company employees; to obtain information on possible candidates for vacancies for ISS employees and specialists whose activities are related to commercial or state secrets.||to obtain data on payments to employees; to access the job descriptions of employees working with information that contains trade secrets. And also to amend the job descriptions of these employees, develop obligations and the degree of responsibility of employees when working with data that is confidential information.||to receive and offer estimates and calculations for technical work, installation of equipment, coordination of other costs associated with the protection of information.||to monitor compliance by employees of the enterprise with regulatory and legal acts adopted in accordance with the legislation of the Russian Federation regarding the protection of information. To develop measures of criminal and administrative responsibility taken during legal proceedings against company employees or third parties guilty of disclosing information that is a state or commercial secret, data loss, damage to company assets.|
7.2. The employees of the department are authorized to develop acts, orders and other documentation that are mandatory for all departments of the organization. The responsibility of the ISS employees is determined by their job descriptions.