INFORMATION SECURITY: Principle 3 - Assigning Responsibility

Principle 3 – Assigning Responsibility

Assigning responsibility for your information security tasks is a crucial principle of any kind of information security program. As a manager, you will be responsible for ensuring that the systems are well managed, are effective, and that the information is adequately protected from loss of confidentiality and integrity. You must hold people accountable for their actions, because of having a philosophy of accountability.

Two important aspects accompany this responsibility:

  • Accountability. A person is held accountable for not following process if those tasks are not completed by the responsible person(s).
  • Authority. Associated with each task will be the authority to give orders, make decisions, and ensure compliance.

Policies, procedures, work instructions, and position descriptions are some of the easiest ways to define responsibility. For you to summarize people’s responsibilities and tasks, writing a Position Description (PD) is the best solution.  Multi-document summaries simplify complex information into a single, easy-to-understand document. Having a personnel manual enables your staff to understand what your organization expects from them on information security issues immediately.

A position description was traditionally written when an employee started a job and was rarely referred to thereafter. Occasionally, they would be used as part of performance reviews. Occasionally, they would be referred to during disciplinary action. Sometimes a manager will simply glance at a PD (if they can find it) and then take a moment or two to see if it has been updated.  Generally, that’s all.

PDs should not be viewed this way – they are a central part of your ISMS.  The policies and procedures define what your employees do, how they do it, and with whom they do it. Powers and responsibilities are outlined in PDs. PDs should be regarded as living documents because the skills, technologies, and organizational structure are constantly changing. PD’s should be updated regularly (perhaps quarterly) to ensure the latest technologies and changes are taken into account. You should communicate all changes to your staff to make sure they are always aware of what is going on.

 

Keeping people accountable for their actions and tasks is a key principle to keep in mind when designing an ISMS. Constantly keeping track of it is essential. Teamwork is especially important in this regard. It is impossible to be responsible if everyone is. Teams are vulnerable to hiding. To ensure well-managed responsibility, you need to always be alert.

Use SHEQ software

To design and implement a Quality Management System, SRM and many of our clients use Mango Compliance Software – www.mangolive.com Mango makes it easier to obtain and maintain ISO 9001:2015 certification.

 

SRM is ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018 certified. Contact our consultants today. Let us know if we can help you with the development and implementation of your Quality Management System.