search:
               

Status: Live

The organization will develop, disseminate, and review: 1) a formal human resources management policy that addresses purpose, scope, RACI info, and compliance; and 2) formal standards and procedures to facilitate implementing the policy. [UCF ID 00763]

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

• Maintain the IT staff structure in line with strategic goals [UCF Control ID 00764]
• Manage internal IT staff security clearances [UCF Control ID 00780]
• Management of third party services [UCF Control ID 00789]
• Personnel health and safety [UCF Control ID 00716]
• Establish proper IT personnel training [UCF Control ID 00785]

Authority documents complied with:

Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Obj 6 (Personnel); FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj E.1; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier I Obj 8.8, Exam Tier I Obj 8.9; FFIEC IT Examination Handbook – Management, Pg 12; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 5.3; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Exam Tier I Obj 2.4; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Exam Tier I Obj 2.4; Protection of Assets Manual, ASIS International, Pg 12-II-38, Pg 23-VI-4; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, § 5.6.11, Exhibit 4 PS-1; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PS-1; The Standard of Good Practice for Information Security, CB1.1.4, CB1.2.4, CB1.3.4, SD3.2.5, SD3.3.5, SD3.4.5; OMB Circular A-123 Management’s Responsibility for Internal Control, § II.A; Archer Control Table, ATCS-509, ATCS-789

Sarbanes Oxley Guidance

The organization should provide an organizational structure and culture that is defined by management. [§ II.A, OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

[Obj 6 (Personnel), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

[Exam Tier II Obj E.1, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier I Obj 8.8, Exam Tier I Obj 8.9, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

human resources should be responsible for hiring and maintaining a competent staff. [Pg 12, FFIEC IT Examination Handbook – Management]

[Exam Tier I Obj 5.3, FFIEC IT Examination Handbook – Operations, July 2004]

[Exam Tier I Obj 2.4, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

[Exam Tier I Obj 2.4, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

US Federal Security Guidance

The Human Resources Director should be responsible for developing employee conduct guidelines; cooperate with the examination of current and past employees' records during investigations; conduct security awareness training for all employees; and screen potential employees. Human resources should ensure employees traveling internationally are covered by the appropriate insurance and should ensure their medical information and personal profiles are up to date. [Pg 12-II-38, Pg 23-VI-4, Protection of Assets Manual, ASIS International]

US Internal Revenue Guidance

The organization must develop, document, distribute, and continuously update a personnel security policy and procedures for implementing personnel security controls. [§ 5.6.11, Exhibit 4 PS-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Organizational records and documents should be examined to ensure the personnel security policy and procedures are documented, disseminated, reviewed, and updated and that specific responsibilities and actions are defined for the implementation of the personnel security policy and procedures control. Any problems discovered during the implementation of the personnel security policy and procedures control should be documented and used to improve the controls. The personnel security policy and procedures should be examined for purpose, scope, responsibilities, and compliance with laws, regulations, and directives, and it should be examined for consistency with the organization's mission and function.
Interviews should be conducted with personnel who review and update the personal security policy and procedures. [PS-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

General Guidance

The employee-related impact of the loss of availability, the disclosure of confidential information, and/or the accidental or deliberate manipulation of data should be analyzed for the organization in terms of decreased morale, decreased productivity, injury, and death. [CB1.1.4, CB1.2.4, CB1.3.4, SD3.2.5, SD3.3.5, SD3.4.5, The Standard of Good Practice for Information Security]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.