+ORP.1 Organisation
---+ORP.1.G1. Insufficient Rules
---+ORP.1.G2. Non-Compliance with Regulations
---+ORP.1.G3. Inadequate or Incompatible Resources
---+ORP.1.G4. Threats from Outside the Organisation
---+ORP.1.A1 Specification of Responsibilities and Provisions [Top Management]
---+ORP.1.A2 Assigning Responsibilities [Top Management] (B)
---+ORP.1.A3 Supervising or Escorting External Individuals [Employee] (B)
---+ORP.1.A4 Separation of Roles Between Incompatible Tasks (B)
---+ORP.1.A15 Contact Persons for Information Security Issues (B)
---+ORP.1.A8 Managing Resources and Devices [IT Operation Department] (S)
---+ORP.1.A13 Security During Relocation [IT Operation Department, Building Services] (S)
---+ORP.1.A16 Policy for Secure IT Use [User] (S)
|
1. Übersicht
ORP.1 Organisation
1. Description
1.1. Introduction
Every organisation needs a service that is responsible for controlling and regulating general operations and planning, organising, and implementing administrative services. For these purposes, most organisations have an organisational unit which controls the interaction of various roles and units with the corresponding business processes and resources. At this overarching level, aspects of information security must be incorporated and defined in a binding manner.
1.2. Objective
This module lists general and overarching requirements in the area of organisation which help to increase and maintain information security. To achieve this, information flows, processes, the distribution of roles, and structural and procedural organisation must be regulated.
1.3. Scoping and Modelling
Module ORP.1 Organisation must be applied at least once to the entire information domain under consideration. If parts of the information domain are assigned to another organisational unit and are therefore subject to different general conditions, this module should be applied separately to each unit.
The module forms an overarching basis for implementing information security in an organisation. It does not deal with specific aspects of personnel, employee training, the administration of identities and authorisations, or compliance management. These aspects are covered in the modules ORP.2 Personnel, ORP.3 Awareness and Training in Information Security, ORP.4 Identity and Access Management, and ORP.5 Compliance Management.
| Bezeichnung |
Standard |
|
ORP.1.A1 Specification of Responsibilities and Provisions [Top Management]
|
Within an organisation, all relevant tasks and roles MUST be clearly defined and separated from each other. Binding provisions for information security MUST be defined globally for the different operational aspects at hand. The organisational structures and binding regulations MUST be revised when required. All employees MUST be informed of such changes.
|
|
ORP.1.A2 Assigning Responsibilities [Top Management] (B)
|
For all business processes, applications, IT systems, rooms and buildings, and communication links, the persons responsible for them and their security MUST be defined. All employees MUST be informed accordingly, particularly with regard to what they are responsible for and the related tasks they are to perform.
|
|
ORP.1.A3 Supervising or Escorting External Individuals [Employee] (B)
|
Persons from outside an organisation MUST be escorted to rooms by employees. Employees within the organisation MUST also supervise external persons in sensitive areas. Employees SHOULD be encouraged not to leave external persons unattended within their organisation's premises.
|
|
ORP.1.A4 Separation of Roles Between Incompatible Tasks (B)
|
Tasks and the roles and functions they require MUST be structured in such a way that incompatible tasks (such as operative and controlling roles) are assigned to different persons. The separation of incompatible roles MUST be defined and documented. Representatives MUST also be subject to the separation of roles.
|
|
ORP.1.A15 Contact Persons for Information Security Issues (B)
|
In every organisation, there MUST be contact persons for security issues who can answer both seemingly simple and complex questions. These contact persons MUST be known to all the employees of their organisation. Corresponding information MUST be available and easily accessible to everyone in the organisation.
|
|
ORP.1.A8 Managing Resources and Devices [IT Operation Department] (S)
|
All devices and resources that influence information security and are required to perform tasks and comply with security requirements SHOULD be available in sufficient quantities. Suitable verification and approval processes SHOULD take place before these devices and resources are used. Devices and resources SHOULD be listed in appropriate inventories. To prevent the misuse of data, the reliable deletion or destruction of devices and resources SHOULD be regulated (see CON.6 Deleting and Destroying Data and Devices).
|
|
ORP.1.A13 Security During Relocation [IT Operation Department, Building Services] (S)
|
Prior to a relocation, security policies SHOULD be drawn up or updated in good time. All employees SHOULD be informed of the relevant security safeguards before, during, and after the relocation. The items transported SHOULD be checked after relocation to ensure they have all arrived undamaged and unmodified.
|
|
ORP.1.A16 Policy for Secure IT Use [User] (S)
|
A policy SHOULD be drawn up for all employees which transparently describes the framework conditions that must be observed during IT use and the security safeguards that must be implemented. The policy SHOULD cover the following aspects:
• the security objectives of the organisation in question
• important terms
• tasks and roles with respect to information security
• contact persons for questions regarding information security
• security safeguards to be implemented and observed by employees
The policy SHOULD be brought to the attention of all users. Every new user SHOULD confirm in writing that they have read and will comply with the policy before being allowed to use information technology. Users SHOULD reconfirm the policy regularly and after major changes. The policy should be made freely available for all staff to read (on the organisation's intranet, for example).
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
Linked Issues
|