【正文】 g) promotes the visibility of business support for information security throughout the anization. Allocation of information security responsibilities Responsibilities for the protection of individual assets and for carrying out specific security processes should be clearly defined. The information security policy (see clause 3) should provide general guidance on the allocation of security roles and responsibilities in the anization. This should be supplemented, where necessary, with more detailed guidance for specific sites, systems or services. Local responsibilities for individual physical and information assets and security processes, such as business continuity planning, should be clearly defined. In many anizations an information security manager will be appointed to take overall responsibility for the development and implementation of security and to support the identification of controls. However, responsibility for resourcing and implementing the controls will often remain with individual managers. One mon practice is to appoint an owner for each information asset who then bees responsible for its daytoday security. Owners of information assets may delegate their security responsibilities to individual managers or service providers. Nevertheless the owner remains ultimately responsible for the security of the asset and should be able to determine that any delegated responsibility has been discharged correctly. It is essential that the areas for which each manager is responsible are clearly stated。 e) assesses the adequacy and coordinates the implementation of specific information security controls for new systems or services。 c) agrees and supports anizationwide information security initiatives, . security awareness programme。 d) Approving major initiatives to enhance information security. One manager should be responsible for all securityrelated activities. Information security coordination In a large anization a crossfunctional forum of management representatives from relevant parts of the anization may be necessary to coordinate the implementation of information security controls. Typically, such a forum: a) agrees specific roles and responsibilities for information security across the anization。 b) Monitoring significant changes in the exposure of information assets to major threats。 b) cost and impact of controls on business efficiency。 d) a definition of general and specific responsibilities for information security management, including reporting security incidents。 4) business continuity management。 2) security education requirements。 b) a statement of management intent, supporting the goals and principles of information security。 g) providing appropriate training and education。 e) effective marketing of security to all managers and employees。 c) visible support and mitment from management。 e) business continuity management (see ). These controls apply to most anizations and in most environments. It should be noted that although all controls in this document are important, the relevance of any control should be determined in the light of the specific risks an anization is facing. Hence, although the above approach is considered a good starting point, it does not replace selection of controls based on a risk assessment. Critical success factors Experience has shown that the following factors are often critical to the successful implementation of information security within an anization: a) security policy, objectives and activities that reflect business objectives。 c) information security education and training (see )。 c) data protection and privacy of personal information (see ). Controls considered to be mon best practice for information security include: a) information security policy document (see )。. Information security starting point A number of controls can be considered as guiding principles providing a good starting point for implementing information security. They are either based on essential legislative requirements or considered to be mon best practice for information security. Controls considered to be essential to an anization from a legislative point of view include: a) intellectual property rights (see )。 c) Confirm that controls remain effective and appropriate. Reviews should be performed at different levels of depth depending on the results of previous assessments and the changing levels of risk that management is prepared to accept. Risk assessments are often carried out first at a high level, as a means of prioritizing resources in areas of high risk, and then at a more detailed level, to address specific risks. Selecting controls Once security requirements have been identified, controls should be selected and implemented to ensure risks are reduced to an acceptable level. Controls can be selected from this document or from other control sets, or new controls can be designed to meet specific needs as appropriate. There are many different ways of managing risks and this document provides examples of mon approaches. However, it is necessary to recognize that some of the controls are not applicable to every information system or environment, and might not be practicable for all anizations. As an example, describes how duties may be segregated to prevent fraud and error. It may not be possible for smaller anizations to segregate all duties and other ways of achieving the same control objective may be necessary. Controls should be selected based on the cost of implementation in relation to the risks being reduced and the potential losses if a security breach occurs. Nonmoary factors such as loss of reputation should also be taken into account. Some of the controls in this document can be considered as guiding principles for information security man