The management of a company always needs to take a position on data security before security measures can be introduced. It is the management that lays down guidelines for the security level. In most cases, the IT manager submits a recommendation based on his assessment of the risks. This can be a difficult job. The system or network administrator has a duty to inform his superiors if the measures relating to data security can be considered inadequate. Operating personnel alone do not have much scope for implementing data security in a company. The guidelines must come from management!