Establishing information security is not a project with a limited time span but a continuous process. The appropriateness and effectiveness of all elements of the information security management system must be checked continuously. This means that not only individual information security safeguards must be checked but also that the information security strategy must be reviewed on a regular basis.
Security is not a permanent state which, once achieved, will never change. Every organisation and public agency is subject to continuous dynamic changes. Many of these changes also affect information security due to changes in the business processes, tasks, infrastructure, organisational structures and the IT.
Managing and maintaining information security
The management level must actively initiate, manage and supervise the security process.A strategy for information security as well as IS objectives must be agreed. The impact of information security risks on the business operation and on the fulfillment of tasks.
The upper management must ensure it is kept informed regularly about problems, the results of reviews and audits, the latest developments, altered prevailing conditions and opportunities for improvement so that it can fulfil its management function.
Information security is a complex issue, so the persons responsible for it must familiarise themselves with it very carefully. There are very many sources of information available that can be used for this. These include, among other things, existing norms and standards, Internet publications and other publications. Furthermore, co-operation with associations, peers, committees and other companies or public agencies as well as CERTs should be used for exchanging experiences about successful information security activities. Since the subject of information security is very broad, it is important to identify and naturally document the information sources and co-operation partners that are appropriate for the particular institution and the prevailing conditions.