Back

Establish and maintain the staff structure in line with the strategic plan.


CONTROL ID
00764
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Human Resources management, CC ID: 00763

This Control has the following implementation support Control(s):
  • Document and communicate role descriptions to all applicable personnel., CC ID: 00776
  • Assign and staff all roles appropriately., CC ID: 00784
  • Implement a staff rotation plan., CC ID: 12772
  • Place Information Technology operations in a position to support the business model., CC ID: 00766
  • Review organizational personnel successes., CC ID: 00767
  • Implement personnel supervisory practices., CC ID: 00773
  • Implement segregation of duties in roles and responsibilities., CC ID: 00774
  • Evaluate the staffing requirements regularly., CC ID: 00775
  • Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff., CC ID: 00779


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Senior management should establish an effective organisation of IT functions to deliver technology services and to provide day-to-day technology support to business units. A clear IT organisation structure and related job descriptions of individual IT functions should be documented and approved by s… (2.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The organization shall arrange and replace personnel, including part-time, temporary, and contracted staff, operating the computer system based on their experience, skills, interview results, security, and efficiency. (O85.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • When reviewing security measures, it is advisable to formulate a staffing plan among user financial institutions or with the shared data center in order to always have available the IT personnel necessary to respond to emergency situations. (C25.2., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Information security organisational structure (Critical components of information security 1) 2) c., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • a robust and transparent organisational structure with clear responsibilities on ICT, including the management body and its committees and that key responsible persons for ICT (e.g. chief information officer 'CIO', chief operating officer 'COO' or equivalent role) have adequate indirect or direct ac… (Title 2 2.3 28.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • In accordance with Title 5 of the EBA SREP Guidelines, competent authorities should assess whether the institution has an appropriate and transparent corporate structure that is 'fit for purpose', and has implemented appropriate governance arrangements. With specific regard to ICT systems and in lin… (Title 2 2.3 28., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Planning and executing a security process includes defining organisational structures (e.g. departments, groups, centres of expertise) as well as roles and duties. There are different options for organising the structure of information security management. In this, staff arrangements depend on the s… (§ 7.2 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • When creating the is organization the creators should specify the human resources required for the roles. (3.4 Bullet 3, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • At this point, it should be clearly emphasised that the central roles shown in these diagrams do not need to be performed by different people. Staffing arrangements should reflect the size of the organisation concerned, the existing resources and the desired level of security. The resources planned … (§ 4.2 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Recognizing that there are many relationships between IT security management processes and other IT management processes is called for. When establishing IT organizational structure, it is important to determine how different groups will relate to one another. § 3.1.1 Says that security management… (§ 2.4, § 3.1.1, OGC ITIL: Security Management)
  • Monitoring staff skills, tools and roles, including any that are out sourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential functions they need to protect. (C1.e ¶ 1, NCSC CAF guidance, 3.1)
  • The Board of Directors should establish a management structure to implement the risk management framework and should include clear lines of responsibility, accountability, and reporting. (¶ 14, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • As is the case with respect to criminal law enforcement authorities, Privacy and Civil Liberties Officers exist at all intelligence agencies. The powers of these officers typically encompass the supervision of procedures to ensure that the respective department/agency is adequately considering priva… (3.2.2 (164), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Firstly, Privacy and Civil Liberties Officers exist within various departments with criminal law enforcement responsibilities. While the specific powers of these officers may vary somewhat depending on the authorising statute, they typically encompass the supervision of procedures to ensure that the… (3.1.2 (108), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • There should be close cooperation between personnel involved with the computer system and the key personnel. (¶ 1, PE 009-8, Guide to Good Manufacturing Practice for Medicinal Products, Annex 11, 15 January 2009)
  • Establish an internal and external IT organisational structure that reflects business needs. In addition, put a process in place for periodically reviewing the IT organisational structure to adjust staffing requirements and sourcing strategies to meet expected business objectives and changing circum… (PO4.5 IT Organisational Structure, CobiT, Version 4.1)
  • Place the IT function in the overall organisational structure with a business model contingent on the importance of IT within the enterprise, specifically its criticality to business strategy and the level of operational dependence on IT. The reporting line of the CIO should be commensurate with the… (PO4.4 Organisational Placement of the IT Function, CobiT, Version 4.1)
  • Develop and maintain a set of policies to support IT strategy. These policies should include policy intent; roles and responsibilities; exception process; compliance approach; and references to procedures, standards and guidelines. Their relevance should be confirmed and approved regularly. (PO6.3 IT Policies Management, CobiT, Version 4.1)
  • Actively manage with the business the portfolio of IT-enabled investment programmes required to achieve specific strategic business objectives by identifying, defining, evaluating, prioritising, selecting, initiating, managing and controlling programmes. This should include clarifying desired busine… (PO1.6 IT Portfolio Management, CobiT, Version 4.1)
  • Work with the business to ensure that the enterprise portfolio of IT-enabled investments contains programmes that have solid business cases. Recognise that there are mandatory, sustaining and discretionary investments that differ in complexity and degree of freedom in allocating funds. IT processes … (PO1.1 IT Value Management, CobiT, Version 4.1)
  • The evaluation of personnel security should include the following: detailed background checks; mandatory confidentiality agreements; logs of every employee's access and work; controls for accessing the Internet; password management; user identification and authentication; automatic terminal identifi… (§ 5.2 (Personnel Security), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The human resources department must align the staffing needs with the goals of the overall corporate strategy. (Revised Volume 1 Pg 1-I-5, Protection of Assets Manual, ASIS International)
  • Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Saf… (CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities, CIS Controls, V8)
  • Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party ve… (CIS Control 17: Safeguard 17.1 Designate Personnel to Manage Incident Handling, CIS Controls, V8)
  • The organization shall hire qualified personnel based on the skill deficits identified in the project plans, including outsourced resources. (§ 6.2.4.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • authority matches the level of responsibility, which includes the autonomy to make and fulfil plans to achieve the agreed outcomes within the established parameters; (§ 4.2.2 ¶ 2 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the authority matches the level of responsibility associated with the decisions being made; (§ 6.8.3.2.2 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Delegation should be formalized together with the appropriate assurance processes. Limits of decision-making authority should be applied in response to assessed risk. (§ 4.2.2 ¶ 5, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Decision-making throughout the organization should be supported by appropriate delegation (see 4.2.2). This delegation should be formalized together with appropriate assurance processes. Additionally, the governing body should ensure that: (§ 6.8.3.2.2 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairne… (§ 6.5.3.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • personnel; (§ 5.1 Guidance ¶ 1(c)(2), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • As an entity changes, the capabilities and value it seeks from enterprise risk management may also change. Enterprise risk management should be tailored to the capabilities of the entity, considering both what the organization is seeking to attain and the way it manages risk. It is natural for the o… (Enterprise Risk Management within the Evolving Entity ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organizational structure provides the framework to plan, execute, control, and monitor the organization's activities. The key areas of authority, responsibility, and lines of reporting should be defined. (Pg 24, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • Reviews the adequacy and allocation of IT resources in terms of funding and personnel. (App A Objective 2:2 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review the corporate and IT departmental organization charts to determine whether they show the following: (App A Objective 2:10, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The IT function at a financial institution is influenced by several other functions, which should include the following: - The human resources function should hire and maintain competent and motivated IT staff. - The IT audit function should validate appropriate controls to mitigate IT risk. - The c… (I.B.7 Other Functions, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Ensures that hiring and training practices are governed by appropriate policies to maintain competent and trained staff. (App A Objective 2:8 g., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Evaluate organizational responsibilities to ensure the board and management: ▪ Clearly define and appropriately assign responsibilities; ▪ Appropriately assign security, audit, and quality assurance personnel to technology-related projects; ▪ Establish appropriate segregation-of-duty or compen… (Exam Obj 3.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • Human resources should hire staff in support of the organization's requirements and goals. (Pg 12, Exam Obj 2.1, FFIEC IT Examination Handbook - Management)
  • Determine whether management has implemented appropriate human resource management. Assess whether: ▪ The organizational structure is appropriate for the institution's business lines; ▪ Management conducts ongoing background checks for all employees in sensitive areas; ▪ Segregation and rotati… (Exam Tier I Obj 5.3, FFIEC IT Examination Handbook - Operations, July 2004)
  • Develop cyber career field classification structure to include establishing career field entry requirements and other nomenclature such as codes and identifiers. (T0364, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure that cyber career fields are managed in accordance with organizational HR policies and directives. (T0368, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Appoint and guide a team of IT security experts. (T0927, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure that cyber career fields are managed in accordance with organizational HR policies and directives. (T0368, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Appoint and guide a team of IT security experts. (T0927, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop cyber career field classification structure to include establishing career field entry requirements and other nomenclature such as codes and identifiers. (T0364, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)