search:
               

Status: Live

The organization will develop, disseminate, and review: 1) a formal process to maintain the IT staff structure in line with strategic goals that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the process. [UCF ID 00764]

Supporting and supported controls

This control directly supports:

• Human resources management for the IS staff [UCF Control ID 00763]

This control has the following supporting controls:

• IT planning, strategy, and steering committees [UCF Control ID 00765]
• Organizational Placement of the IT Function [UCF Control ID 00766]
• Review of organizational achievements [UCF Control ID 00767]
• Roles and responsibilities of the IT organization in particular [UCF Control ID 00768]
• Responsibility for Quality Assurance [UCF Control ID 00769]
• Assign responsibility for logical and physical security [UCF Control ID 00770]
• Data and system ownership [UCF Control ID 00772]
• Implement supervisory practices [UCF Control ID 00773]
• Separation of Duties [UCF Control ID 00774]
• Evaluate IT staffing requirements [UCF Control ID 00775]
• Job or position descriptions for IT staff [UCF Control ID 00776]
• Key IT roles [UCF Control ID 00777]
• Contracted staff policies and procedures [UCF Control ID 00778]
• Establish relationships with key stakeholders, business functions, and leadership outside the IT group [UCF Control ID 00779]

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 24; FFIEC IT Examination Handbook – Development and Acquisition, Exam Obj 3.1; FFIEC IT Examination Handbook – Management, Pg 12, Exam Obj 2.1; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 5.3; Protection of Assets Manual, ASIS International, Revised Volume 1 Pg 1-I-5; CobiT 4.1, PO4.5; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.8.2.1; OGC ITIL: Security Management, § 2.4, § 3.1.1; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 14; Archer Control Table, ATCS-007

Sarbanes Oxley Guidance

The organizational structure provides the framework to plan, execute, control, and monitor the organization's activities. The key areas of authority, responsibility, and lines of reporting should be defined. [Pg 24, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

Banking and Finance Guidance

[Exam Obj 3.1, FFIEC IT Examination Handbook – Development and Acquisition]

Human resources should hire staff in support of the organization's requirements and goals. [Pg 12, Exam Obj 2.1, FFIEC IT Examination Handbook – Management]

[Exam Tier I Obj 5.3, FFIEC IT Examination Handbook – Operations, July 2004]

The Board of Directors should establish a management structure to implement the risk management framework and should include clear lines of responsibility, accountability, and reporting. [¶ 14, BIS Sound Practices for the Management and Supervision of Operational Risk]

US Federal Security Guidance

The human resources department must align the staffing needs with the goals of the overall corporate strategy. [Revised Volume 1 Pg 1-I-5, Protection of Assets Manual, ASIS International]

ISO Guidance

The organization's management should require that all employees and contractors follow the information security policies and procedures in their daily tasks. [Annex A.8.2.1, ISO 27001:2005, Information Security Management Systems - Requirements]

ITIL Guidance

Recognizing that there are many relationships between IT security management processes and other IT management processes is called for. When establishing IT organizational structure, it is important to determine how different groups will relate to one another.
§ 3.1.1 Says that security management should have clear goals. The first goal is to meet external security requirements. These come from various SLAs. The second goal is to meet internal security requirements, which are necessary for an organization’s own security and continuity. [§ 2.4, § 3.1.1, OGC ITIL: Security Management]

General Guidance

Internal and external IT organizational structures should be established. These structures should reflect business needs and be regularly reviewed to ensure they adequately meet staffing requirements and offer sourcing strategies.
The creation of an IT strategy committee at the board level is called for. This committee ensures IT governance is appropriately addresses as part of corporate governance.
An organization is required to establish an IT steering committee. The committee is to be composed of executive, business and IT management. The committee will prioritize IT enabled investment programs based on which are most important to the organization’s business requirements, track the status of projects and resolve resource conflict and monitor service levels and service improvements,
The IT function within an organization should be placed in the overall organizational structure in such a way that it reflects business needs. The IT function’s organizational placement should be periodically reviewed to ensure it is appropriate.
Roles and responsibilities should be defined for all staff members and communicated to them. Responsibilities in relation to information systems access rights should be accounted for as should skills required of each staff member for accomplishing their assigned tasks.
Responsibility for performance of the quality assurance function be assigned. The group assigned to quality assurance tasks should be large enough to handle the requirements of the organization.
Ownership and responsibility for IT-related risks be embedded within the organization at an appropriate senior level. Critical roles for managing IT risks should be defined and assigned.
Procedures for granting, limiting and revoking access to facilities should be defined and implemented according to business needs including emergencies.
Defining an IT process framework to execute the strategic IT plan is called for. This framework covers relationships and process structure alongside goals to achieve. The framework should be integrated with quality management.
Procedures and tools enabling IT to address responsibilities for ownership of data and information systems should be provided.
Talks about implementing supervisory practices in the IT function to ensure roles and responsibilities are properly exercised.
A segregation of duties to reduce the ability of a single individual to subvert a critical process is required.
Staffing requirements should be evaluated on a regular basis and upon major changes to business, operational or IT environments.
Defining and identifying key staff members in an organization, then minimizing over reliance on them is recommended. Plans for contacting them in an emergency should be provided as well.
Defining and implementing policies and procedures that control the activities of consultants and other contract employees hired by the IT function is suggested. This ensures the protection of the organization’s assets.
Establishing and maintaining coordination, communication and liaison structures between the IT function and other groups both within the organization and externally is called for. [PO4.5, CobiT 4.1]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.