Abstract :
Ensuring that proper controls are in place to protect an organisation´s information and information system is a management issue. This involves establishing a corporate infrastructure within which security of information can be managed. This can only be achieved if all roles and responsibilities are clearly defined, including those of the security manager, audit, IT and so on. It also requires careful definition of the content and role of the corporate information security manual, awareness and training programmes and risk analysis. The corporate information security manual includes the corporate policy, standards, practices, and procedures. The article discusses the issues and presents models for the organisational structure, the roles and responsibilities and the interaction of strategic tools such as the manual, awareness and risk analysis. It also addresses cost and the establishment of appropriate measures. Some discussion is focused on the management and operation of the security controls themselves
