search:
               

Status: Live

The organization will define and identify key IT personnel and minimize over reliance on them. [UCF ID 00777]

Supporting and supported controls

This control directly supports:

• Maintain the IT staff structure in line with strategic goals [UCF Control ID 00764]

This control has the following supporting controls:

• Responsibilities of the Data Controller [UCF Control ID 00354]
• Responsibilities of the Data Trustee [UCF Control ID 04789]
• Responsibilities of the Data Steward [UCF Control ID 04795]

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 3.18; FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 1.3, Exam Tier I Obj 6.7; FFIEC IT Examination Handbook – Management, Exam Obj 1.3, Exam Obj 2.1; NASD Manual, April 2007, R 3520; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-14.c(2); Federal Information System Controls Audit Manual (FISCAM), February 2009, SC-1.2; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.6.2; CobiT 4.1, PO4.13; The Standard of Good Practice for Information Security, SM2.1.1, CB2.1.5(a), CI1.1.3(c), NW1.1.3(c), UE1.1.5(a), SD1.1.5; OECD Principles of Corporate Governance, 2004, § VI.D; Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004, Sched 1 ¶ 28; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 34; Archer Control Table, ATCS-021, ATCS-071, ATCS-073, ATCS-515, ATCS-790; Luxembourg Data Protection Law, Art 40(6) thru Art 40(9)

Sarbanes Oxley Guidance

[¶ .20 § 3.18, AICPA Suitable Trust Services Principles and Criteria]

The organization should document all personnel at each site, including data processing sites and software development sites. [Pg 34, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

[Exam Tier I Obj 1.3, Exam Tier I Obj 6.7, FFIEC IT Examination Handbook – Information Security]

[Exam Obj 1.3, Exam Obj 2.1, FFIEC IT Examination Handbook – Management]

NASD NYSE Guidance

[R 3520, NASD Manual, April 2007]

US Federal Security Guidance

The Information System Security Officer should not be responsible for keeping the system operational. [§ 2-14.c(2), Army Regulation 380-19: Information Systems Security, February 27, 1998]

[SC-1.2, Federal Information System Controls Audit Manual (FISCAM), February 2009]

NIST Guidance

[§ 3.6.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

General Guidance

The organization should define and identify key IT personnel and minimize over reliance on them. A plan for contacting key personnel in case of emergency should exist. [PO4.13, CobiT 4.1]

A top-level executive should be assigned responsibility for the organization's information security program. The reliance on key personnel for the administration of applications and end user environments should be minimized by assigning alternative personnel to ensure availability. [SM2.1.1, CB2.1.5(a), CI1.1.3(c), NW1.1.3(c), UE1.1.5(a), SD1.1.5, The Standard of Good Practice for Information Security]

EU Guidance

The Board should monitor, select, and compensate key executives. [§ VI.D, OECD Principles of Corporate Governance, 2004]

Other European and African Guidance

The data protection official must be a natural or legal person who has been approved by the Commission Nationale. Approval will be subject to proof of completion of university studies in economics, natural science, law, commercial management, or information technology. Persons who are registered in the controlled professions of barristers, auditors, accountants, and doctors can be approved unconditionally. The qualities of all data protection officials will be checked by the Commission Nationale, which may object to the appointment or continuance, if the data protection official does not have the required qualities or is already in contact with the data controller for activities other than data processing and the contact poses a conflict of interest, thus limiting his/her independence. In the event the Commission Nationale objects, the data controller must appoint a new data protection official within 3 days. [Art 40(6) thru Art 40(9), Luxembourg Data Protection Law]

Asia and Pacific Rim Guidance

All members appointed to the auditing and assurance standards board are required to have knowledge or experience in business, accounting, auditing, law, and/or government. [Sched 1 ¶ 28, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004]

Metrics

The metrics associated with this control are as follows:

• Report on the percentage of security management roles properly assigned [UCF Control ID 01671]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.