Identify and define all key IT roles.

UCF ID: 00777
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain the IT staff structure in line with strategic goals. [UCF Control ID 00764]

This control has the following supporting controls:

Authority documents complied with:

COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 94; AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.18; FFIEC IT Examination Handbook – Management, Exam Obj 1.3, Exam Obj 2.1, Pg 5, Exam Obj 4.4; FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 1.3, Exam Tier I Obj 6.7; NASD Manual, April 2007, R 3520; North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards, CIP-003-1 R2 thru CIP-003-1 R2.2; Protection of Assets Manual, ASIS International, Revised Volume 1 Pg 2-I-26; GAO/PCIE Financial Audit Manual (FAM), § 260.42, § 260.43, § 260.43.b, § 295.04; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-14.c(2); Federal Information System Controls Audit Manual (FISCAM), February 2009, SC-1.2; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.6.2; CobiT, Version 4.1, PO4.13; The Standard of Good Practice for Information Security, SM2.1.1, CB2.1.5(a), CI1.1.3(c), NW1.1.3(c), UE1.1.5(a), SD1.1.5; OECD Principles of Corporate Governance, 2004, § VI.D; German Corporate Governance Code ("The Code"), June 6, 2008, ¶ 3.4; The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003, ¶ III.4.1, ¶ III.4.2; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 28; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 34; Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data, Art 40(6) thru Art 40(9); Sweden Personal Data Act (1998:204), § 38, § 40; Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 26; ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004, § 5.1.1; ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998, ¶ 7.2

Sarbanes Oxley Guidance

Senior managers should be responsible for managing the risks of their units. They should assess and identify risks and develop risk responses. [Pg 94, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

The organization should document all personnel at each site, including data processing sites and software development sites. [Pg 34, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

Members of the IT steering committee should have the authority to make decisions for their departments. [Exam Obj 1.3, Exam Obj 2.1, Pg 5, Exam Obj 4.4, FFIEC IT Examination Handbook – Management]

[Exam Tier I Obj 1.3, Exam Tier I Obj 6.7, FFIEC IT Examination Handbook – Information Security]

NASD NYSE Guidance

[R 3520, NASD Manual, April 2007]

Energy Guidance

There is currently no guidance from this group regarding this control. The senior manager shall be identified by name, title, business phone, business address, and date of designation. Changes to the senior manager must be documented within thirty calendar days of the effective date. The senior manager or delegate(s), shall authorize and document any exception from the requirements of the cyber security policy. [CIP-003-1 R2 thru CIP-003-1 R2.2, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards]

US Federal Security Guidance

¶ 260.42 discusses how control environment risk factors are dictated by management’s attitude, philosophy, and operating style.
Management’s philosophy and operating style encompass a broad range of beliefs, concepts, and attitudes. Such characteristics may include management's approach to taking and monitoring operational/program risks, attitudes and actions toward financial reporting, emphasis on meeting financial and operating goals, and management's attitude toward information processing, accounting, and personnel. ¶ 260.43.b also suggests that the organizational structure provides the overall framework for planning, directing, and controlling operations. The organizational structure should appropriately assign authority and responsibility within the entity. It goes on to state that organizational structure includes the form and nature of an entity's organizational units, including the data processing organization, and related management functions and reporting relationships.
¶ 295.04 lists the potential control environment, risk assessment, communication, and monitoring weaknesses that are directly attributable to management’s philosophy and operating style:
• Management lacks concern about internal control and the environment in which specific controls function. Management demonstrates an aggressive approach to risk-taking.
• Management demonstrates an aggressive approach to accounting policies.
• Management has a history of completing significant or unusual transactions near the year's end, including transactions with related parties.
• Management makes numerous adjusting journal entries, especially at yearend.
• Management is reluctant to (1) consult auditors/consultants on accounting issues, (2) adjust the financial statements for misstatements, or (3) make appropriate disclosures.
• Management displays a significant disregard for regulatory, legal, or oversight requirements or for IG, GAO, or Congressional authorities.
• Top-level management lacks the financial experience/background necessary for the positions held.
• Management is slow to respond to crisis situations in both operating and financial areas.
• Management uses unreliable and inaccurate information to make business decisions.
• Unexpected reorganization or replacement of management staff or consultants occurs frequently.
• Management and personnel in key areas (such as accounting, IS, IG, and internal auditing) have a high turnover.
• Individual members of top management are unusually closely identified with specific major projects.
• Overly optimistic information on performance of programs and activities is disclosed.
• Financial estimates consistently prove to be significantly overstated or understated.
• Obtaining adequate audit evidence is difficult due to a lack of documentation and evasive or unreasonable responses to inquiries.
• Financial arrangements/transactions are unduly complex.
• Lack of interaction of adequate frequency between senior management and operating management, particularly with geographically removed locations.
• Management attitude toward IS and accounting functions is that these are necessary "bean counting" functions rather than a vehicle for exercising control over the entity's activities.
• Management is motivated to engage in fraudulent financial reporting resulting from substantial political pressure creating an undue concern about reporting positive financial accomplishments.
• Management is dominated, either entity-wide or at a specific component, by a single person or small group without compensating controls such as effective oversight by the IG, GAO, Congressional committees, or other oversight body.
• One or more individuals with no apparent executive position(s) with the entity appear to exercise substantial influence over its affairs or over individual departments or programs (for example, a major political donor or fundraiser).
• Management has significant grantee, cooperative agreement, or contractor relationships for which there appears to be no clear programmatic or governmental justification.
• Management appears more concerned with an unqualified opinion on the financial statements rather than with fixing significant weaknesses in its systems.
• Management has difficulty meeting reporting deadlines.
The inherent problems with organizational structure include:
• The organizational structure is inappropriate for the entity’s size and complexity. General types of organizational structures include federal centralized (managed and controlled on a day-to-day basis by a centralized federal entity system), federal decentralized (managed and controlled on a day-to-day basis by federal entity field offices or staffs), participant administered (managed and controlled on a day-to-day basis by a nonfederal organization), and other (managed and controlled on a day-to-day basis by some combination of the above or by other means).
• The structure inhibits segregation of duties for initiating transactions, recording transactions, and maintaining custody over assets.
• It is difficult to determine the organization or individual(s) that control(s) the entity, parts of the entity, or particular programs.
• Recent changes in the management structure disrupt the organization.
• Operational responsibilities do not coincide with the divisional structure.
• Delegation of responsibility and authority is inappropriate.
• A lack of definition and understanding of delegated authority and responsibility exists at all levels of the organization.
• Inexperienced and/or incompetent accounting personnel are responsible for transaction processing.
• The number of supervisors is inadequate or supervisors are inaccessible.
• Key financial staff have excessive work loads.
• Policies and procedures are established at inappropriate levels.
• A high degree of manual activity is required in capturing, processing, and summarizing data.
• Activities are dominated and controlled by a single person or a small group.
• The potential exists for entity officials to obtain financial or other benefits on the basis of decisions made or actions taken in an official capacity. [§ 260.42, § 260.43, § 260.43.b, § 295.04, GAO/PCIE Financial Audit Manual (FAM)]

The Information System Security Officer should not be responsible for keeping the system operational. [§ 2-14.c(2), Army Regulation 380-19: Information Systems Security, February 27, 1998]

[SC-1.2, Federal Information System Controls Audit Manual (FISCAM), February 2009]

At least one key senior manager should have the knowledge and skills to evaluate critically the design, operation and oversight of technology projects. [¶ 26, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

NIST Guidance

[§ 3.6.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

ISO Guidance

Organizational roles, accountabilities and responsibilities. security responsibilities. Management should be responsible for all aspects of security management including risk-management decision-making. Several factors, such as the nature, form of incorporation, size and structure of an organization, will determine the level at which the responsibilities will be assigned. ICT security is an interdisciplinary topic and relevant to every ICT project and system and to all ICT users within an organization. Appropriate assignment and demarcation of accountability and specific roles and responsibilities should ensure that all important tasks are accomplished and that they are performed in an effective and efficient way. For small organizations, management may fill security roles, or other staff may carry out two or more security roles. In such cases, independent review is important to avoid conflict of interest and to ensure appropriate separation of roles.
The following roles need to be covered in every organization; an ICT security forum, which typically resolves the interdisciplinary issues, advises on and recommends strategy, and approves policies and procedures, and , the corporate ICT security officer, who acts as the focus for all ICT security aspects within an organization.
Both the ICT security forum and the corporate ICT security officer should have well defined and unambiguous duties, and be sufficiently senior to ensure commitment to the corporate ICT security policy. The organization should provide clear lines of communication, responsibility, and authority for the corporate ICT security officer, and the duties should be approved by the ICT security forum. The conduct of these duties may be supplemented by the use of external consultants. [§ 5.1.1, ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004]

Corporate IT Security Policy. To ensure adequate support for all security related measures, the corporate IT security policy should be approved by top management.
Based on the corporate IT security policy, a directive should be written, which is binding for all managers and employees. This may require the signature of each employee on a document which acknowledges his/her responsibility for security within the organization. Furthermore, a program for security awareness and training should be developed and implemented to communicate these aspects.
An individual should be designated to be responsible for the corporate IT security policy, and for ensuring that this policy reflects the requirements and the actual status of the organization. This person would typically be the corporate IT security officer, who among other things should be responsible for the follow-up activities. This includes security compliance check reviews, the handling of incidents and security weaknesses, and any changes to the corporate IT security policy which might be necessary according to the results of those actions. [¶ 7.2, ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998]

General Guidance

[¶ .20 § 3.18, AICPA Suitable Trust Services Principles and Criteria]

The asset protection manager should be a member of the organization's management team and have functional authority. [Revised Volume 1 Pg 2-I-26, Protection of Assets Manual, ASIS International]

The organization should define and identify key IT personnel and minimize over reliance on them. A plan for contacting key personnel in case of emergency should exist. [PO4.13, CobiT, Version 4.1]

A top-level executive should be assigned responsibility for the organization's information security program. The reliance on key personnel for the administration of applications and end user environments should be minimized by assigning alternative personnel to ensure availability. [SM2.1.1, CB2.1.5(a), CI1.1.3(c), NW1.1.3(c), UE1.1.5(a), SD1.1.5, The Standard of Good Practice for Information Security]

EU Guidance

The Board should monitor, select, and compensate key executives. [§ VI.D, OECD Principles of Corporate Governance, 2004]

Other European and African Guidance

The Management Board must regularly report, in writing (which includes electronic form), to the Supervisory Board on important issues to the organization, such as planning, compliance, and risk management. Any reports that are needed by the Board to make a decision must be submitted to the Supervisory Board before the meeting to allow members the ability to review the documents. [¶ 3.4, German Corporate Governance Code ("The Code"), June 6, 2008]

The Supervisory Board Chairperson must ensure all Board members are properly inducted and follow the training programs; ensure all Board members receive information in a timely manner to properly perform their duties; the Board committees function properly; the Board has sufficient time for discussion and decision making; and the Management and Supervisory Board members are evaluated annually. The chairperson of the Supervisory Board must not be a former member of the Management Board. [¶ III.4.1, ¶ III.4.2, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003]

The data protection official must be a natural or legal person who has been approved by the Commission Nationale. Approval will be subject to proof of completion of university studies in economics, natural science, law, commercial management, or information technology. Persons who are registered in the controlled professions of barristers, auditors, accountants, and doctors can be approved unconditionally. The qualities of all data protection officials will be checked by the Commission Nationale, which may object to the appointment or continuance, if the data protection official does not have the required qualities or is already in contact with the data controller for activities other than data processing and the contact poses a conflict of interest, thus limiting his/her independence. In the event the Commission Nationale objects, the data controller must appoint a new data protection official within 3 days. [Art 40(6) thru Art 40(9), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data]

The function of the personal data representative is to independently ensure that personal data is processed by the personal data controller, is processed in accordance with the law and good practices, and is done correctly. He/she is also responsible for pointing out inadequacies to the personal data controller and notifying the supervisory authority if he/she suspects the personal data controller has violated this Act and corrections are not made as soon as possible after errors have been pointed out. If the personal data representative is in doubt about how to apply the personal data processing rules, he/she must consult with the supervisory authority. The personal data representative also assists registered persons correct personal data when it is suspected that the processed personal data is incomplete or incorrect. [§ 38, § 40, Sweden Personal Data Act (1998:204)]

Asia and Pacific Rim Guidance

All members appointed to the auditing and assurance standards board are required to have knowledge or experience in business, accounting, auditing, law, and/or government. [Sched 1 ¶ 28, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of security management roles that have been assigned. [UCF Control ID 01671]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.