Managers need to know how to secure their information assets for a very good reason. The manager is the one who is responsible for maintaining the confidentiality, integrity and availability of information assets in his or her organization.
Very few people in the organization would, otherwise, be able to take up the slack if there were an absence of leadership when it came to protecting digital assets. Managers who fail to accept responsibility for information assurance are failing to fulfill their fiduciary responsibilities and are putting the organization's survival at risk.
Many organizations are without security policies in the first place and an organization without security policies is "rudderless" when it comes to providing for information assurance. The technical IT people are the only defense against malicious attacks and they are without the expressed authority to create and implement an effective information security plan. The manager's job in this circumstance is to see to it that a plan is created. The company would, otherwise, be without a coherent way to provide for information security and would be risking its very existence.
Managers are the only ones who have direct authority to supervise information security policies for an organization. Managers can do so, however, without having to become computer nerds. People who run organizations simply must be aware of the need for systematically protecting information assets and make sure that their IT people understand how to implement computer and network security measures.
The following items are included in the manager's responsibility for computer security:
1. All of the assets of the organization must be identified, described and itemized.
By inventorying all information assets it becomes possible to provide for an appropriate level of security for each set of information. Stated differently, if an organization is without explicit knowledge of what information assets are possessed they can't be protected.
2. Each of the information assets must be classified as to its level of criticality.
"Criticality" relates to how important any given information asset is to the mission of the company. For example, accounts receivable, rather than a back-up copy of a public web site, is more critical to the organization. Therefore, accounts receivable would have a higher level of criticality.
3. Policies and procedures must be developed on how information is to be processed in the organization.
Appropriate levels of access, based upon need to know, must be determined. General employees, for example, are without a need to process payroll information.
4. Managers must create and implement an information security awareness plan.
An information security awareness plan must include all personnel and be followed through upon. The employees take their lead from the manager and must be supportive of developing a culture of security if they are aware that the manager wants it.
5. Managers must audit the organization's information security plan to be sure that each component is being implemented.
A manager's job includes being aware of the success of on-going business processes. Information assurance is a business process that must be monitored.
6. Managers are directly responsible for any adjustments that must be made to make the security plan more effective.
Managers are the leaders for employees of an organization. Employees take their cue from what their organizational leader does. The attitude that the manager projects, as well as his or her unspoken actions, set the tone of the information security culture. Should the manager be lax about security practices, the entire organization is going to behave in the same manner
No comments:
Post a Comment