PROBLEM: It does not appear that there is a clear line of authority and responsibility for data security policies and procedures.
SOLUTION: Achieving adequate security and control over an organization’s data should be a top management priority. A company’s organizational structure defines its lines of authority, responsibility, and reporting and provides the overall framework for controlling and monitoring its operations.
Management should assign authority and responsibilityfor business objectives, such as data security, to specific departments and individuals and then hold them accountable for achieving those objectives. Authority and responsibility are assigned through formal job descriptions; employee training; and operating plans, schedules, and budgets. A written policy and procedures manual can be an important tool for assigning authority and responsibility.
k. After a careful review of the budget for data security enhancement projects, you feel the budget appears to be adequate. PROBLEM: This item does not appear to be a problem. Your careful review indicates that the company appears to be allocating sufficient budget dollars to fund the data security enhancement projects.
l. The enhanced network firewall project appeared to be on a very aggressive implementation schedule. The IT manager mentioned that even if he put all of his personnel on the project for the next five weeks, he still would not complete the project in time. The manager has mentioned this to company management, which seems unwilling to modify the schedule.