Laws and regulations governing cybersecurity

Defining organisational security and especially anchoring cyber or ICT security within the already functioning structures of an organisation is of the utmost importance for the possible management of cyber threats or attacks.

Security issues should be addressed within an organisation at the operational, tactical and strategic level from the perspective of the organisation’s management.

From a security point of view, it is important that the cybersecurity department is separated from the department that provides ICT operations.[1]

Example: The author met with a network administrator who was required by his employer to become a security manager at the same time. In practice, this would mean that the
administrator would draw up directives to be followed, while at the same time checking for himself the compliance and enforcing it. The absurdity of this
situation is obvious at first glance.

By default, organisational security rests on the fact that the designated entities are obliged, with regard to the information security management system, to:

• ensure that the security policy and objectives of the ISMS are set in such a way that they are compatible with the strategic direction of the obligor,
• ensure the integration of the ISMS into the processes of the obligor,
• ensure the availability of resources needed for the ISMS,
• inform employees of the importance of the ISMS and the importance of achieving compliance with its requirements with all parties concerned,
• provide support to achieve the intended ISMS outputs,
• lead employees to develop the efficiency of the ISMS and support them in this development,
• promote continuous improvement of the ISMS,
• support those holding security roles in promoting cybersecurity in their areas of responsibility,
• ensure the establishment of rules for the designation of administrators and persons who will hold security roles,

• Cybersecurity Manager,
• Cybersecurity Architect,
• Asset Guarantor,
• Cybersecurity Auditor.
• ensure that the confidentiality of administrators and security officers is maintained,
• provide persons with security roles with the appropriate powers and resources, including budgetary allocations to fulfil their roles and perform related tasks,
• ensure testing of business continuity plans, recovery and cybersecurity incident management processes.

To assign and display (within a table) the responsibilities of individual persons (security roles according to CSD) within an organisation, use of the RACI responsibility matrix (RACI matrix) is recommended. RACI is an acronym of:

R – Responsible	who is responsible for performing the assigned task (given activity)
A – Accountable (or Approver)	who is responsible for the whole task, or for the fact that the given process is performed as predefined
C – Consulted	who can provide valuable advice or consultation for the task but does not take responsibility for the performance of the process
I – Informed	who should be informed about the progress of the task or decisions in the task

The rule is that only one person has overall responsibility (A – Accountability) for a given task, the people involved (R – Responsibility) should be proportionate to the given task. The RACI method is a simple form of a competency model.[2]

Figure: RACI matrix[3]