Human Resources management

IT Impact Zone
IT Impact Zone


This is a top level control.

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806
  • Define and assign workforce roles and responsibilities., CC ID: 13267
  • Analyze workforce management., CC ID: 12844
  • Establish, implement, and maintain a personnel management program., CC ID: 14018
  • Establish and maintain the staff structure in line with the strategic plan., CC ID: 00764
  • Establish job categorization criteria, job recruitment criteria, and promotion criteria., CC ID: 00781
  • Train all personnel and third parties, as necessary., CC ID: 00785
  • Establish, implement, and maintain a personnel health and safety policy., CC ID: 00716
  • Establish, implement, and maintain a conflict of interest policy., CC ID: 14785
  • Establish, implement, and maintain a Code of Conduct., CC ID: 04897
  • Establish, implement, and maintain performance reviews., CC ID: 14777
  • Establish, implement, and maintain a legal support program., CC ID: 13710
  • Establish, implement, and maintain an insider threat program., CC ID: 10687
  • Establish, implement, and maintain an ethics program., CC ID: 11496


  • The organization must document future human resources and training of personnel needed to computerize the organization. This is a control item that constitutes a relatively small risk to financial information. This is a company-level IT control. (App 2-1 Item Number I.2.3(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization shall ensure it conducts personnel management appropriately. (O85, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization must implement personnel security controls before and during employment. (Part I ¶ 4, HMG BASELINE PERSONNEL SECURITY STANDARD, GUIDANCE ON THE PRE-EMPLOYMENT SCREENING OF CIVIL SERVANTS, MEMBERS OF THE ARMED FORCES, TEMPORARY STAFF AND GOVERNMENT CONTRACTORS, Version 3, February 2001)
  • A key factor for ensuring the Information Technology Service Continuity (ITSC) strategy and plans are appropriate as the organization and its environment changes is to remunerate the staff against service levels to help ensure awareness reaches all levels of the organization. (§ 5.6 ¶ 2(h), PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • IT policy statements should include, but not be restricted to personnel policies defining and enforcing conditions for staff located in sensitive areas (includes vetting new staff, annual credit checks, disciplinary procedures, and responsibility agreements). (§ 5.3.1 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Evaluating the vendor's HR policies and procedures is important for successfully implementing and effectively operating designed controls. Key areas to be reviewed include adopting and promoting the management culture, including ethics, business practices, and HR evaluations; reviewing employee ince… (§ 5.5, IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The Human Resources Director should be responsible for developing employee conduct guidelines; cooperate with the examination of current and past employees' records during investigations; conduct security awareness training for all employees; and screen potential employees. Human resources should en… (Pg 12-II-38, Pg 23-VI-4, Protection of Assets Manual, ASIS International)
  • ¶ 13.2 Secure Service Management should be implemented for network security. ¶ 13.2.1 Introduction to Secure Service Management. A key security requirement for any network is that it is supported by secure service management activities, which will initiate and control the implementation, and opera… (¶ 13.2, ¶ 13.2.1, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The organization should provide the necessary authority, training, time, resources, and skills to all personnel so they can fulfill their roles. (App A § A.3.2, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • CMS business partners shall safeguard systems against fraud and practice fraud control according to the CMS minimum security requirements (CMSRs) and Appendix B of this document. (§ 3.8, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization shall have security policies that address transfers, hiring, termination, and performance. (CSR 1.10, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Determine whether audit procedures for payment systems risk adequately consider the risks in wholesale electronic funds transfer (EFT). Evaluate whether ▪ Adequate operating policies and procedures govern all activities, both in the wire transfer department and in the originating department, inclu… (Exam Tier II Obj E.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • Exam Tier I Obj 8.8 Determine whether the BCP includes continuity plans and other mitigating controls (e.g. social distancing, teleworking, functional cross-training, and conducting operations from alternative sites) to sustain critical internal and outsourced operations in the event large numbers o… (Exam Tier I Obj 8.8, Exam Tier I Obj 8.9, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • human resources should be responsible for hiring and maintaining a competent staff. (Pg 12, FFIEC IT Examination Handbook - Management)
  • Determine whether management has implemented appropriate human resource management. Assess whether: ▪ The organizational structure is appropriate for the institution's business lines; ▪ Management conducts ongoing background checks for all employees in sensitive areas; ▪ Segregation and rotati… (Exam Tier I Obj 5.3, FFIEC IT Examination Handbook - Operations, July 2004)
  • Identify and obtain during discussions with management of financial institution or service provider: • A description of the retail payment system activities performed and scope of operations, including check item processing, RDC, lock-box services that provide ACH check conversion or check truncat… (Exam Tier I Obj 2.4, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • Evaluate wholesale payment system business line staff. Consider: ▪ Adequacy of staff resources. ▪ Hiring practices. ▪ Effective policies and procedures outlining department duties. ▪ Adequacy of accounting and financial controls over wholesale payment processing, clearance, and settlement ac… (Exam Tier I Obj 2.4, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The organization must develop, document, distribute, and continuously update a personnel security policy and procedures for implementing personnel security controls. (§ 5.6.11, Exhibit 4 PS-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Organizational records and documents should be examined to ensure the personnel security policy and procedures are documented, disseminated, reviewed, and updated and that specific responsibilities and actions are defined for the implementation of the personnel security policy and procedures control… (PS-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should provide an organizational structure and culture that is defined by management. (§ II.A, OMB Circular A-123, Management's Responsibility for Internal Control)