Maintain the IT staff structure in line with strategic goals

The organization will develop, disseminate, and review: 1) a formal process to maintain the IT staff structure in line with strategic goals that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the process. [UCF ID 00764]

Supporting and supported controls

This control directly supports:

• Human resources management for the IS staff [UCF Control ID 00763]

This control has the following supporting controls:

• IT planning, strategy, and steering committees [UCF Control ID 00765]
• Organizational Placement of the IT Function [UCF Control ID 00766]
• Review of organizational achievements [UCF Control ID 00767]
• Roles and responsibilities of the IT organization in particular [UCF Control ID 00768]
• Responsibility for Quality Assurance [UCF Control ID 00769]
• Assign responsibility for logical and physical security [UCF Control ID 00770]
• Data and system ownership [UCF Control ID 00772]
• Implement supervisory practices [UCF Control ID 00773]
• Separation of Duties [UCF Control ID 00774]
• Evaluate IT staffing requirements [UCF Control ID 00775]
• Job or position descriptions for IT staff [UCF Control ID 00776]
• Key IT personnel [UCF Control ID 00777]
• Contracted staff policies and procedures [UCF Control ID 00778]
• Establish relationships with key stakeholders, business functions, and leadership outside the IT group [UCF Control ID 00779]

Authority documents complied with:

BIS Sound Practices for the Management and Supervision of Operational Risk 14; FFIEC IT Examination Handbook – Development and Acquisition Exam Obj 3.1; FFIEC IT Examination Handbook – Management Pg 12, Exam Obj 2.1; FFIEC IT Examination Handbook – Operations Exam Tier I Obj 5.3; CobiT 4.1 PO4.5; ISO 17799:2000, Code of Practice for Information Security Management § 4; ISO 27001:2005, Information Security Management Systems - Requirements § A.8.2.1; OGC ITIL: Security Management 2.4, 3.1.1; COSO Enterprise Risk Management (ERM) Framework Pg 24

Sarbanes Oxley Guidance

Pg 24 of COSO Enterprise Risk Management (ERM) Framework states that the organizational structure provides the framework to plan, execute, control, and monitor the organization's activities. The key areas of authority, responsibility, and lines of reporting should be defined.

Banking and Finance Guidance

The FFIEC IT Examination Handbook – Management Pg 12, Exam Obj 2.1 states that human resources should hire staff in support of the organization's requirements and goals.

NASD and NYSE Guidance

Rules 3520 (NASD) and 446(g) (NYSE) require that the business continuity plan define emergency contact personnel roles in the event of a significant business disruption. These personnel must be a registered principal and member of senior management. Rule 3520 calls for a minimum of two such personnel.

US Federal Security Guidance

Government standards and regulations do not address most aspects of IT organizational structure except for when referring to use of IT or acquisition of IT solutions. The OMB Circular A-130 requires owners of information systems be held accountable and also calls on the Office of Personnel Management to periodically evaluate information resource staffing needs. NIST and FISCAM address the requirement of organizations to identify and define critical personnel needed for disaster recovery. The National Strategy to Secure Cyberspace, FISCAM and the GAO Financial Audit Manual mention segregation of duties, and FISCAM specifically addresses roles and responsibilities and ownership of systems as auditor concerns.

FIPS Publication 191 § 3.2 suggests an organizational structure for managing LAN security. It offers five points to cover. The first is LAN Management, which is responsible for conducting risk assessments, providing proper LAN configurations including hardware, software, data and functionality mapping. The second point in the structure offered is Organizational Management. This group is responsible for supporting LAN security policies by providing funds to implement security services and achieve compliance with policy goals. This group will also assess longterm consequences to the organization if a threat is realized. The next group is Security Personnel, which ensures that security policies are developed and adhered to. Data and Application Owners are the next group. These people are responsible for ensuring that data and applications are appropriately protected and available to users. Finally LAN users themselves are responsible for providing accurate information about their applications, data and LAN usage.

Records Management Guidance

Insofar as records management is considered a facet of information technology, ISO 15489-1 and 15489-2 call for senior management to define records roles and responsibilities. ISO 15489-1 also requires that roles and responsibilities be defined in job descriptions.

International Standards Organization Guidance

ISO 17799 addresses various elements of organizational structure, though mostly with respect to information security and risk management.

The ISO 27001:2005 Information Security Management Systems - Requirements § A.8.2.1 states that the organization's management should require that all employees and contractors follow the information security policies and procedures in their daily tasks.

IT Infrastructure Library Guidance

ITIL Best Practice for Security Management § 2.4 calls for recognizing that there are many relationships between IT security management processes and other IT management processes. When establishing IT organizational structure, it is important to determine how different groups will relate to one another. 3.1.1 says that security management should have clear goals. The first goal is to meet external security requirements. These come from various SLAs. The second goal is to meet internal security requirements, which are necessary for an organization’s own security and continuity.

4.2.1.2 talks about ensuring that all of an organization’s important assets are assigned to a specific group or person so that they may be accounted for. 4.2.1 echoes this.

4.2.3.2 calls for organizing roles within an organization so that there is segregation of duties. Tasks should be shared among more than one person. This reduces the possibility of security incidents due to human error, and reduces the possibility of misuse or fraud.

4.2.2.2 suggests creating job descriptions that include security roles and responsibilities for each staff member.

3.5 requires organizations to think about the relationship between proper security and management. It shows a triangular chart, point down. This chart places incident control/help desk at the base (up top), followed by problem management and finally, change management. Another way to think of these areas is discovery of a problem, handling a problem and finally, modifying systems so that they won’t be susceptible to that problem in the future.

IT Infrastructure Library Guidance

European Union Guidance

The OECD Risk Checklist all address various elements of organizational structure, though mostly with respect to information security and risk management. CobiT is the only general standard that addresses all the above objectives in their entirety