The flow of information in the information security process

As a result of the checks and improvements to the information security process, a variety of reports, audit reports, security test results, reports of security-related events, and other information security documents are created in the organisation. The documents must be informative and understandable for the corresponding target group. Since not all this information is of interest to management, it is the job of the IT Security Officer and the IS Management team to collect, process, prepare, and present this information clearly yet briefly.

6.2.1 Reports to management

In order for the management to be able to make the right decisions on controlling and managing the information security process, they need basic information relating to the information security status. This data should be prepared in management reports that provide this data and cover the following points, among others:

 Results of audits and data protection checks  Reports on security incidents

 Reports on previous successes and problems in the information security process

Management must be informed regularly in an appropriate form by the IS organisation of the results of the checks and the status of the IS process. This includes pointing out any problems, successes, and potential for improvement. Management must take note of the management reports and initiate any safeguards that may be necessary.

6.2.2 Documentation in the information security process

For many reasons, the documentation of the IS process on all levels is key to its success. The following can only be ensured when sufficient documentation is available:

 Decisions are understandable by all

 Processes can be repeated and standardised

 Vulnerabilities and errors can be detected and prevented in the future

Depending on the subject and purpose of a document, the following different types of documentation may exist:

 Technical documentation and documentation of workflows (target group: experts)

The current status of business processes and the IT systems and applications used by and for these business processes are described here. The level of detail of technical documentation is often a subject of controversy. One practical approach to take is to ensure that other people with comparable expertise can understand the documentation and that the administrator can depend on his knowledge, but must not depend on his memory, to restore the systems and applications. During security exercises and when handling security incidents, the quality of the documentation available should be evaluated and the results of the evaluation used to improve the

documentation. This type of documentation includes, among other types:  Installation and configuration manuals

 Instructions for re-starting after a security incident  Documentation of testing and release procedures

 Instructions on how to respond to malfunctions and security incidents  Instructions for employees (target group: employees)

Security safeguards must be documented in the form of policies which can be understood by the employees. In addition, the employees must be informed of the existence and importance of these

policies, and must have received the corresponding training. This group of documentation consists of, for example:

 Workflows and organisational specifications  Policies for Internet usage

 Responses to security incidents

 Documentation of management decisions (target group: management)

Basic decisions on the information security process and security strategy must be recorded so that they can be understood and repeated at any time.

 Laws and regulations (target group: management)

A number of different laws, regulations, and instructions may apply to the processing of information. The special requirements placed on business processes, IT operations, or information security as well as their consequences resulting from laws, regulations, and instructions in the case at hand should be documented.

It must be ensured that all documentation is kept up-to-date. The documentation must be integrated into the change process for this purpose.

6.2.3 Information flow and reporting routes

Prompt updating of the reporting routes and the specification of the flow of information are of key importance to maintaining the information security process. In addition, the results of the checks, tests, and audits performed also provide a useful basis for improving the information flow. The basic specifications relating to the flow of information and the reporting routes should be documented in a corresponding policy, which should then be approved by management. The policy on the flow of information and reporting routes should regulate in particular the information flows critical to the information security process. The policy must differentiate between receiving and distributing information flows.

Using synergy effects for the information flow

Many organisations have already defined processes to provide services or IT support. Synergy effects can often be used, and aspects of information security can often be integrated into existing processes. For example, the reporting routes for IT security incidents can be integrated into IT support, or capacity planning can be expanded to include aspects of contingency planning.

Much of the information collected for security reasons can also be used for other purposes. In addition, security safeguards also have other positive side-effects, and the optimisation of the processes in particular pays off. For example, the appointment of information owners or the

classification of information according to uniform evaluation criteria is often relevant for many areas of an organisation. An overview of the dependency of business process on IT systems and

applications is not only useful for security management. For example, an overview it enables you to precisely associate IT costs which are often considered to be overhead to specific business processes or products.

Action Points for 6.2 The flow of information in the information security process

 The basic specifications for the flow of information and the reporting routes which are related to the information security process should be documented in a corresponding policy and submitted to management for approval.

 Inform management of the results of the checks and the status of the information security process  If necessary, obtain the decisions for the required corrective safeguards

documentation up-to-date

 If necessary, evaluate the quality of the documentation and improve or update it wherever necessary

 Keep the reporting routes relating to the information security process up-to-date