search:
               

UCF ID: 00763

Control Type: IT Impact Zone

Status: Live

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

• Establish and maintain the IT staff structure in line with strategic goals. [UCF Control ID 00764]
• Establish and maintain IT staff security clearances in accordance with duties and responsibilities. [UCF Control ID 00780]
• Establish and maintain a policy regarding management of third party services. [UCF Control ID 00789]
• Establish and maintain a policy regarding personnel health and safety. [UCF Control ID 00716]
• Ensure IT personnel are trained. [UCF Control ID 00785]
• Establish and maintain a Code of Conduct. [UCF Control ID 04897]

Authority documents complied with:

FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj E.1; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier I Obj 8.8, Exam Tier I Obj 8.9; FFIEC IT Examination Handbook – Management, Pg 12; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 5.3; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier I Obj 2.4; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier I Obj 2.4; Protection of Assets Manual, ASIS International, Pg 12-II-38, Pg 23-VI-4; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.11, Exhibit 4 PS-1; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PS-1; The Standard of Good Practice for Information Security, CB1.1.4, CB1.2.4, CB1.3.4, SD3.2.5, SD3.3.5, SD3.4.5; OMB Circular A-123 Management’s Responsibility for Internal Control, § II.A; PAS 77 IT Service Continuity Management. Code of Practice, 2006, § 5.6 ¶ 2(h); ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001, ¶ 13.2, ¶ 13.2.1

Sarbanes Oxley Guidance

The organization should provide an organizational structure and culture that is defined by management. [§ II.A, OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

[Exam Tier II Obj E.1, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier I Obj 8.8, Exam Tier I Obj 8.9, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

human resources should be responsible for hiring and maintaining a competent staff. [Pg 12, FFIEC IT Examination Handbook – Management]

[Exam Tier I Obj 5.3, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier I Obj 2.4, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier I Obj 2.4, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

US Internal Revenue Guidance

The organization must develop, document, distribute, and continuously update a personnel security policy and procedures for implementing personnel security controls. [§ 5.6.11, Exhibit 4 PS-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Organizational records and documents should be examined to ensure the personnel security policy and procedures are documented, disseminated, reviewed, and updated and that specific responsibilities and actions are defined for the implementation of the personnel security policy and procedures control. Any problems discovered during the implementation of the personnel security policy and procedures control should be documented and used to improve the controls. The personnel security policy and procedures should be examined for purpose, scope, responsibilities, and compliance with laws, regulations, and directives, and it should be examined for consistency with the organization's mission and function.
Interviews should be conducted with personnel who review and update the personal security policy and procedures. [PS-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

ISO Guidance

¶ 13.2 Secure Service Management should be implemented for network security.
¶ 13.2.1 Introduction to Secure Service Management. A key security requirement for any network is that it is supported by secure service management activities, which will initiate and control the implementation, and operation, of security. These activities should take place to ensure the security of all of an organization's IT. With regard to network connections, management activities should include:
• definition of all responsibilities related to the security of network connections, and designation of a security manager with overall responsibility,
• documented system security policy, and accompanying documented technical security architecture 2,
• documented security operating procedures (SecOPs),
• the conduct of security compliance checking, to ensure security is maintained at the required level,
• documented security conditions for connection to be adhered to before connection to an organization or community is permitted,
• documented security conditions for users of network services,
• a security incident handling scheme,
• documented and tested business continuity/disaster recovery plans. [¶ 13.2, ¶ 13.2.1, ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001]

General Guidance

The Human Resources Director should be responsible for developing employee conduct guidelines; cooperate with the examination of current and past employees' records during investigations; conduct security awareness training for all employees; and screen potential employees. Human resources should ensure employees traveling internationally are covered by the appropriate insurance and should ensure their medical information and personal profiles are up to date. [Pg 12-II-38, Pg 23-VI-4, Protection of Assets Manual, ASIS International]

The employee-related impact of the loss of availability, the disclosure of confidential information, and/or the accidental or deliberate manipulation of data should be analyzed for the organization in terms of decreased morale, decreased productivity, injury, and death. [CB1.1.4, CB1.2.4, CB1.3.4, SD3.2.5, SD3.3.5, SD3.4.5, The Standard of Good Practice for Information Security]

UK and Canadian Guidance

A key factor for ensuring the Information Technology Service Continuity (ITSC) strategy and plans are appropriate as the organization and its environment changes is to remunerate the staff against service levels to help ensure awareness reaches all levels of the organization. [§ 5.6 ¶ 2(h), PAS 77 IT Service Continuity Management. Code of Practice, 2006]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.