Roles and responsibilities of the IT organization in particular

Status: Live

The organization will establish proper roles and responsibilities for all IT staff. [UCF ID 00768]

Supporting and supported controls

This control directly supports:

Maintain the IT staff structure in line with strategic goals [UCF Control ID 00764]

There are no supporting controls.

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 25, Pg 26; ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004, Background; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 666(a); FFIEC IT Examination Handbook – Information Security, Pg 5, Exam Tier I Obj 7.4; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 3; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 36; Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002, § 314.4(a); Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-14.c(1); ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General, § 6.3; ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines, § 2.3.2; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AT-3.1; CobiT 4.1, PO4.6; ISO 17799:2005 Code of Practice for Information Security Management, § 8.1.1; ISO/IEC 27002-2005 Code of practice for information security management, § 8.1.1; OGC ITIL: Security Management, § 4.2.2.2, § 4.2.3.2; State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal, Rev. 2.0, § 4.5; Archer Control Table, ATCS-005, ATCS-028, ATCS-217, ATCS-218, ATCS-781, ATCS-782, ATCS-787

Sarbanes Oxley Guidance

The organization should assign authority, responsibilities, and reporting relationships to individuals. [Pg 25, Pg 26, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

Banking and Finance Guidance

The organization should have the expertise necessary to identify the risks to the system. [Background, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004]

The organization should have an operational risk management function that is independent and is responsible for designing and implementing the risk management framework; developing policies and procedures; developing strategies for identifying, controlling, measuring, and monitoring risks; designing a risk measurement methodology; and designing and implementing a risk reporting system. [¶ 666(a), Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

Each individual in the organization should be responsible for his/her actions in regard to information security. [Pg 5, Exam Tier I Obj 7.4, FFIEC IT Examination Handbook – Information Security]

The Board of Directors and senior management should be responsible for overseeing all outsourced relationships. [Pg 3, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]

The organization should ensure the roles and responsibilities are defined for staff members and customers involved in retail payment services. [Pg 36, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

An employee or employees should be designated to coordinate the information security program. [§ 314.4(a), Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002]

US Federal Security Guidance

Key duties should be clearly defined. [§ 2-14.c(1), Army Regulation 380-19: Information Systems Security, February 27, 1998]

Records Management Guidance

[§ 6.3, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]

[§ 2.3.2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines]

NIST Guidance

Organizational records and documents should be examined to ensure personnel with information security roles and responsibilities have been identified and documented. [AT-3.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

US State Laws and Protectorates Guidance

Only authorized personnel should be allowed to sanitize classified media. [§ 4.5, State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal, Rev. 2.0]

ISO Guidance

During the pre-employment process, the security roles and responsibilities of the position should be clearly outlined to the candidate. The security roles of employees, contractors, and third parties should include the following requirements: They should read and follow the information security policy; protect assets; report security events; and understand they are responsible for their actions. [§ 8.1.1, ISO 17799:2005 Code of Practice for Information Security Management]

During the pre-employment process, the security roles and responsibilities of the position should be clearly outlined to the candidate. The security roles of employees, contractors, and third parties should include the following requirements: They should read and follow the information security policy; protect assets; report security events; and understand they are responsible for their actions. [§ 8.1.1, ISO/IEC 27002-2005 Code of practice for information security management]

ITIL Guidance

[§ 4.2.2.2, § 4.2.3.2, OGC ITIL: Security Management]

General Guidance

The organization should create role descriptions and update them regularly. These descriptions delineate both authority and responsibility, include definitions of skills and experience needed in the relevant position, and are suitable for use in performance evaluation. Role descriptions should contain the responsibility for internal control. [PO4.6, CobiT 4.1]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of security management roles properly assigned [UCF Control ID 01671]