UCF ID: 00768 |
Control Type: Establish Roles |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Establish and maintain the IT staff structure in line with strategic goals. [UCF Control ID 00764]
There are no supporting controls.
Authority documents complied with:
COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 25, Pg 26; ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004, Background; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 666(a); FFIEC IT Examination Handbook – Information Security, Pg 5, Exam Tier I Obj 7.4; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Pg 3; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 36; Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002, § 314.4(a); Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-14.c(1); ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General, § 6.3; ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines, § 2.3.2; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AT-3.1; CobiT, Version 4.1, PO4.6; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 8.1.1; ISO/IEC 27002 Code of practice for information security management, 2005, § 8.1.1; OGC ITIL: Security Management, § 4.2.2.2, § 4.2.3.2; State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal, Rev. 2.0, § 4.5; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSD-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSD-1; DoD Instruction 8500.2 Information Assurance (IA) Implementation, DCSD-1; ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004, § 5.1.3
Sarbanes Oxley Guidance
The organization should assign authority, responsibilities, and reporting relationships to individuals. [Pg 25, Pg 26, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]
Banking and Finance Guidance
The organization should have the expertise necessary to identify the risks to the system. [Background, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004]
The organization should have an operational risk management function that is independent and is responsible for designing and implementing the risk management framework; developing policies and procedures; developing strategies for identifying, controlling, measuring, and monitoring risks; designing a risk measurement methodology; and designing and implementing a risk reporting system. [¶ 666(a), Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]
Each individual in the organization should be responsible for his/her actions in regard to information security. [Pg 5, Exam Tier I Obj 7.4, FFIEC IT Examination Handbook – Information Security]
The Board of Directors and senior management should be responsible for overseeing all outsourced relationships. [Pg 3, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]
The organization should ensure the roles and responsibilities are defined for staff members and customers involved in retail payment services. [Pg 36, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]
An employee or employees should be designated to coordinate the information security program. [§ 314.4(a), Standards for Safeguarding Customer Information; Final Rule, FTC 16 CFR 314, May 2002]
US Federal Security Guidance
Key duties should be clearly defined. [§ 2-14.c(1), Army Regulation 380-19: Information Systems Security, February 27, 1998]
Have you examined the Position designation documents to ensure that the DAA has been formally designated? [DCSD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]
Have you examined the Position designation documents to ensure that the Information Assurance Manager/Information Assurance Officer has been formally designated? [DCSD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]
Have you examined the Position designation documents to ensure that they include all responsibilities? [DCSD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation]
Records Management Guidance
[§ 6.3, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]
[§ 2.3.2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines]
NIST Guidance
Organizational records and documents should be examined to ensure personnel with information security roles and responsibilities have been identified and documented. [AT-3.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]
US State Laws and Protectorates Guidance
Only authorized personnel should be allowed to sanitize classified media. [§ 4.5, State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal, Rev. 2.0]
ISO Guidance
During the pre-employment process, the security roles and responsibilities of the position should be clearly outlined to the candidate. The security roles of employees, contractors, and third parties should include the following requirements: They should read and follow the information security policy; protect assets; report security events; and understand they are responsible for their actions. [§ 8.1.1, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]
During the pre-employment process, the security roles and responsibilities of the position should be clearly outlined to the candidate. The security roles of employees, contractors, and third parties should include the following requirements: They should read and follow the information security policy; protect assets; report security events; and understand they are responsible for their actions. [§ 8.1.1, ISO/IEC 27002 Code of practice for information security management, 2005]
Corporate ICT security officer. An organization should assign responsibility for ICT security to a specific individual. The corporate ICT security officer should act as the focus for all ICT security aspects within the organization; however, the corporate ICT security officer may delegate some aspects of the role. There may be a suitable person who can take on the additional responsibilities of the corporate ICT security officer, although, in medium and large organizations, it is recommended that a dedicated post be established. In large organizations, there may be a network of ICT security officers for business units, departments, etc. It is preferable to select people with background in security and ICT as corporate ICT security officer and departmental/business unit ICT security officers. The role of a corporate ICT security officer includes:
oversight of the implementation of the ICT security program,
liaison with and reporting to the ICT security forum and the corporate security officer,
issuing and maintaining the corporate ICT security policy and directives,
coordinating incident investigations,
managing the corporate-wide security awareness program,
setting ICT security objectives and criteria derived from policies,
reviewing, auditing and monitoring the effectiveness of security controls, and
reviewing, auditing or monitoring adherence to ICT security procedures throughout the organization.
Roles can be segregated, given the organization’s size, complexity of security systems, and other relevant variables.
ICT security project officer Individual projects or systems should have someone responsible for security, sometimes called the ICT security project officer. In some cases, this may not be a full time role. The functional management of these officers should be the responsibility of the corporate ICT security officer.
The ICT security project officer acts as the focal point for all security aspects of a project, a system, or a group of systems. The role of an ICT security project officer includes:
liaison with and reporting to the corporate ICT security officer,
developing and implementing the security plan for the project,
day-to-day monitoring of implementation and use of the ICT safeguards, and
initiating and assisting in incident investigations.
ICT security administrator. In medium and large organizations there is a role for delegated administration. This would include the following, executing and applying ICT security procedures; administering systems and network security; upgrading specific security programs, e.g., virus tools, software versions, software patches and fixes; administering specific security controls, e.g., backups, access control lists, etc.
Security administrators must have the appropriate training to administer the specific activities and tools. [§ 5.1.3, ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004]
ITIL Guidance
[§ 4.2.2.2, § 4.2.3.2, OGC ITIL: Security Management]
General Guidance
The organization should create role descriptions and update them regularly. These descriptions delineate both authority and responsibility, include definitions of skills and experience needed in the relevant position, and are suitable for use in performance evaluation. Role descriptions should contain the responsibility for internal control. [PO4.6, CobiT, Version 4.1]
Metrics
The metrics associated with this control are as follows:
- • Report on the percentage of security management roles that have been assigned. [UCF Control ID 01671]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.