Job or position descriptions for IT staff

Status: Live

The organization will ensure that all job and role descriptions for IT staff are properly maintained and communicated. [UCF ID 00776]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 1.2.6; AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.9, ¶ .20 § 3.12, ¶ .24 § 3.13, ¶ .29 § 3.12; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 5; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier I Obj 4.1; FFIEC IT Examination Handbook – Information Security, Pg 7, Pg 72; FFIEC IT Examination Handbook – Management, Pg 27, Exam Obj 2.1; FFIEC IT Examination Handbook – Operations, July 2004, Pg 25; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 3-1.b; Protection of Assets Manual, ASIS International, Pg 12-II-44, Pg 12-IV-19, Revised Volume 2 Pg 1-IV-7; ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General, § 6.3; CobiT 4.1, PO4.6; The Standard of Good Practice for Information Security, SM1.3.1, SM1.3.6; ISO 17799:2005 Code of Practice for Information Security Management, § 8.1.1; ISO/IEC 27002-2005 Code of practice for information security management, § 8.1.1; OGC ITIL: Security Management, § 4.2.2.2; Archer Control Table, ATCS-002, ATCS-060, ATCS-787

Sarbanes Oxley Guidance

The organization should establish job descriptions for all personnel who protect the privacy and security of personal information. [ID 1.2.6, AICPA/CICA Privacy Framework]

The organization should have procedures in place to ensure all personnel who are responsible for the development, implementation, design, and operation of the system are qualified in accordance with the job description requirements. [¶ .17 § 3.9, ¶ .20 § 3.12, ¶ .24 § 3.13, ¶ .29 § 3.12, AICPA Suitable Trust Services Principles and Criteria]

Banking and Finance Guidance

Compliance with the Bank Secrecy Act (BSA) should be incorporated into job descriptions. [Pg 5, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

[Exam Tier I Obj 4.1, FFIEC IT Examination Handbook – Audit, August 2003]

Security job descriptions should describe the processes they are responsible for and a description of the systems they are protecting. Job descriptions should state any additional security responsibilities beyond what is included in the security policies and procedures. [Pg 7, Pg 72, FFIEC IT Examination Handbook – Information Security]

Management should update job descriptions on a routine basis. The job descriptions should include user access rights. [Pg 27, Exam Obj 2.1, FFIEC IT Examination Handbook – Management]

The organization should have clearly defined duties and responsibilities. [Pg 25, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

The DAA should be responsible for ensuring the security requirements are followed; issuing accreditation statements when security safeguards have been approved; ensuring the safeguards are implemented and maintained; ensuring systems are reviewed whenever significant changes are made; assigning personnel to key functions; implementing a security and awareness training program; and preparing a security plan. [§ 3-1.b, Army Regulation 380-19: Information Systems Security, February 27, 1998]

The organization should develop clearly written, well-defined job descriptions for all jobs. Job descriptions should state the degree of trustworthiness required for the position. The information systems security manager should review all job descriptions to identify the sensitivity of each job. [Pg 12-II-44, Pg 12-IV-19, Revised Volume 2 Pg 1-IV-7, Protection of Assets Manual, ASIS International]

Records Management Guidance

[§ 6.3, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General]

ISO Guidance

Job descriptions can be used to document security roles and responsibilities. [§ 8.1.1, ISO 17799:2005 Code of Practice for Information Security Management]

Job descriptions can be used to document security roles and responsibilities. [§ 8.1.1, ISO/IEC 27002-2005 Code of practice for information security management]

ITIL Guidance

[§ 4.2.2.2, OGC ITIL: Security Management]

General Guidance

The organization should ensure that job descriptions delineate both authority and responsibility, include definitions of skills and experience needed in the relevant position, and are suitable for use in performance evaluation. [PO4.6, CobiT 4.1]

All job descriptions should specify the information security responsibilities for the position. All job descriptions should be kept up to date and reviewed by information security personnel. [SM1.3.1, SM1.3.6, The Standard of Good Practice for Information Security]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of security management roles properly assigned [UCF Control ID 01671]
    Report on the percentage of position descriptions that define the information awareness roles for security managers and administrators [UCF Control ID 01685]
    Report on the percentage of position descriptions that define the information awareness roles for IT personnel [UCF Control ID 01686]
    Report on the percentage of position descriptions that define the information awareness roles for general staff and systems users [UCF Control ID 01687]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.