IT Security Officer
For operators of so-called critical infrastructures, the designation of an IT security officer can be a legal obligation. Even if this is not the case, particular importance must be attached to the security of IT systems. An IT security officer can be important for the development of a company in consideration of risk provisioning and liability avoidance.
Although the tasks are not explicitly regulated by law, the IT security officer covers certain areas due to their professional competence. The distinction between the tasks of the data protection officer and the IT security officer is of great importance for a central management approach, but in individual cases it is often difficult.
The IT security officer
- explains to the management the importance of IT, the IT security level to be achieved and the company-wide IT security aims, drafts them and brings about a decision;
- reports to the management on the status quo of IT security;
- advises the management on IT security issues;
- develops and drafts IT security guidelines and obtains agreement of the management;
- announces the coordinated IT security guidelines to all affected employees of the company;
- issues guidelines and regulations as to how IT security is to be achieved in the company;
- supports the application of basic IT protection and the implementation of risk analyses for the creation of IT security concepts;
- reconciles IT security aims with the company’s aims and optimises company-wide processes;
- determines IT security tasks for the subordinate area;
- reviews the created IT security concepts for accuracy and transparency;
- manages resources available for IT security;
- controls the progress of the implementation of IT security measures;
- coordinates controls of the effectiveness of IT security measures during ongoing operations;
- coordinates sensitisation and training measures on the subject of IT security.
At first sight, the work of an IT security officer is similar to that of a data protection officer and includes, in particular, the examination and assessment of facts, controls and advice with regard to IT security issues. According to MORGENSTERN’s interdisciplinary consulting approach, you avoid duplicate effort as the information already collected from privacy consulting additionally benefits an IT security officer.