Check List

Roles and responsibilities of organization and job allocation

Purpose

To manage information security within the organization

Audit resources

Procedure

Verification

Document

Organization structure, R&R organization, Job matrix, Security policy guide, Security process guide

Product

Detailed study list and method

-    Check if a management authorization process for new information processing facilities is defined and implemented.

-    Check if requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information are identified and regularly reviewed.

-    Check if appropriate contacts with relevant authorities are maintained.

-    Check if appropriate contacts with special interest groups or other specialist security forums and professional associations are maintained.

-    Check if the organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes, and procedures for information security) are reviewed independently at planned intervals, or when significant changes to the security implementation occur.

-    Check if a Security organizational structure comprised of senior managers is formally established, monitor and review the ISMS, maintain formal minutes of meetings and convene at least every six months.

-    Check if a Security Function exist that will be responsible to draft and implement security strategies and action plans. It is involved in and review all processes regarding security aspects of the organization, including, but not be limited to, the protection of information, communications, physical infrastructure, and game processes.

-    Check if the Security Function report to no lower than executive level management and not reside within or report to the IT Function.

-    Check if the Function is sufficiently empowered, and must have access to all necessary corporate resources to enable the adequate assessment, management, and reduction of risk.

-    Check if the head of the Security Function is a full member of the Security Forum and be responsible for recommending security policies and changes.