Organizational Structure of Information Security
Introduction
Security operations are part of our life, whether we like it or not. Organizations do security tasks every day aiming to ensure service availability and to protect these services.
One day, maybe after a cyber-attack on your organization, you will feel that it’s time to have a separate entity to plan, implement, and maintain security operations.
Here in this article, I will focus on information security that applies to IT services.
What should an information security management system do?
Based on ISO, and IEC documentations, “The establishment and implementation of an organization’s information security management system is influenced by the organization’s needs and objectives, security requirements, the organizational processes used and the size and structure of the organization”.
So, clear understanding of an organization’s work, mission and vision is the key for proper structure. Investing in security operations must be properly aligned with the organization’s strategic plans.
Here in this article, I will focus on information security that applies to IT services.
Does your organization really need a new entity?
This is the big question; and organization leaders must be educated -if needed- the importance of adding a new box to the organization structure.
So, the top management, with help of IT experts (internal or external), must assess and take decision regarding these elements:
Criticality
Organizations are, in a way or another, aware of the criticality of their IT assets; an organization can assess the impact of a failure of IT service, data loss or system outage. A Criticality Analysis is a standard procedure to rate the criticality of IT assets.
Generally speaking, in case an organization found that the mentioned potential risks are affecting its mission and goals, then a separate security structure is needed.
Segregation of duties
Does the organization have duties that must be separated? Example, internally developed systems must undergo a quality assurance process such as security check or stress test; quality assurance must be conducted by a different team, other than system developers.
Speciality
Sometimes, organizations want to have specialized expert staff to do security work; in this case, the organization has to decide whether to outsource, invest in its existing staff, or recruit new staff.
Workload
Simply, the workload on IT staff could trigger the process of separating IT Security operations.
Security Organizational Structure
Basically, there scenarios where organizations could allocate security unit. Consequently, there would be three different perspectives to security tasks:
- Within the IT department: main task would be implementing and maintaining security operations: planning the technical work, developing security procedures, establishing & maintaining work documentation, reviewing existing work configurations. Aiming to work with technical team, side by side, to improve IT operations.
- Independent entity within the organization: in this case, the security team is expected to work on establishing and auditing security procedures, without doing the actual implementation.
- External audit: As the name says, it is audit work. Check work configuration and report to top management.
Anyway, the adopted structure will directly affect the nature of tasks on this entity. Which leads us to the following section. And there could be more than one entity working in big organizations.
Same Tasks Different Perspectives
Depending on where the security entity is located, security tasks inherit the nature of that position, ranging from security development to security audit of IT operations.
Organization leaders and ICT staff must understand the mission and the perspective of the security work spectrum, starting from doing daily work to conducting official security audits.
The Bottom Line
Security requirements are changing over time; establishing a new security entity must serve organization needs based on the nature of that organization.
Thanks for reading.
