The organization will ensure that all job and role descriptions for IT staff are properly maintained and communicated. [UCF ID 00776]
Supporting and supported controls
This control directly supports:
• Maintain the IT staff structure in line with strategic goals [UCF Control ID 00764]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
FFIEC IT Examination Handbook – Information Security Pg 7, Pg 72; FFIEC IT Examination Handbook – Audit Exam Tier I Obj 4.1; FFIEC IT Examination Handbook – Management Pg 27, Exam Obj 2.1; FFIEC IT Examination Handbook – Operations Pg 25; Bank Secrecy Act (aka Currency and Foreign Transaction Reporting Act) Pg 5; CobiT 4.1 PO4.6; The Standard of Good Practice for Information Security SM1.3.1, SM1.3.6; ISO 17799:2005 Code of Practice for Information Security Management § 8.1.1; ISO/IEC 27002-2005 Code of practice for information security management § 8.1.1; OGC ITIL: Security Management 4.2.2.2; ISO 15489-1, Information and Documentation: Records management: General § 6.3; AICPA/CICA Privacy Framework § 1.2.6; AICPA Suitable Trust Services Criteria ¶ .17 § 3.9, ¶ .20 § 3.12, ¶ .24 § 3.13, ¶ .29 § 3.12
Sarbanes Oxley Guidance
§ 1.2.6 of AICPA/CICA Privacy Framework states that the organization should establish job descriptions for all personnel who protect the privacy and security of personal information.
¶ .17 § 3.9, ¶ .20 § 3.12, ¶ .24 § 3.13, ¶ .29 § 3.12 of AICPA Suitable Trust Services Criteria states that the organization should have procedures in place to ensure all personnel who are responsible for the development, implementation, design, and operation of the system are qualified in accordance with the job description requirements.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Management Pg 27, Exam Obj 2.1 states that management should update job descriptions on a routine basis. The job descriptions should include user access rights.
International Standards Organization Guidance
The ISO/IEC 27002-2005 Code of practice for information security management § 8.1.1 states that job descriptions can be used to document security roles and responsibilities.
The ISO 17799:2005 Code of Practice for Information Security Management § 8.1.1 states that job descriptions can be used to document security roles and responsibilities.
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 01671.doc
• Metric Reporting Standard 01685.doc
• Metric Reporting Standard 01686.doc
• Metric Reporting Standard 01687.doc