Assign responsibility for logical and physical security.

UCF ID: 00770

Control Type: Establish Roles

Status: Live

Supporting and supported controls

This control directly supports:

Establish and maintain the IT staff structure in line with strategic goals. [UCF Control ID 00764]

There are no supporting controls.

Authority documents complied with:

FFIEC IT Examination Handbook – Management, Pg 9; FFIEC IT Examination Handbook – Operations, July 2004, Pg 5; Protection of Assets Manual, ASIS International, Pg 1-I-A2; CobiT, Version 4.1, PO4.8, DS12.3

Banking and Finance Guidance

The organization should ensure a risk management function is assigned for measuring, monitoring, and controlling risk. The risk management function should oversee information security, continuity planning, auditing, and compliance. [Pg 9, FFIEC IT Examination Handbook – Management]

Operations management personnel should be responsible for the physical and logical security of the organization. [Pg 5, FFIEC IT Examination Handbook – Operations, July 2004]

General Guidance

The organization should ensure that specific individuals have been assigned the responsibility of locking all exterior doors and storage areas at the end of the business day. [Pg 1-I-A2, Protection of Assets Manual, ASIS International]

The organization should embed ownership and responsibility for IT-related risks within the business at an appropriate senior level. Define and assign roles critical for managing IT risks including the specific responsibility for information security, physical security and compliance. Establish risk and security management responsibility at the organization wide level to deal with organization wide issues. Additional security management responsibilities may need to be assigned at a system-specific level to deal with related security issues. Obtain direction from senior management on the appetite for IT risk and approval of any residual IT risks.
The organization should define and implement procedures to grant, limit and revoke access to premises, buildings and areas according to business needs, including emergencies. Access to premises, buildings and areas should be justified, authorized, logged and monitored. This applies to all persons entering the premises, including staff, temporary staff, clients, vendors, visitors or any other third party. [PO4.8, DS12.3, CobiT, Version 4.1]