Back

Evaluate the staffing requirements regularly.


CONTROL ID
00775
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish and maintain the staff structure in line with the strategic plan., CC ID: 00764

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Given the rapid pace of technological development, senior management needs to ensure that staff of IT functions, the TRM function and internal technology auditors are competent and able to meet required levels of expertise and experience on an ongoing basis. It is also important to ensure that staff… (2.5.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • App 2-1 Item Number I.2.3(1): The organization's human resources department must identify the current status of IT personnel and determine the resources and capabilities needed. This is a control item that constitutes a relatively small risk to financial information. This is a company-level IT contr… (App 2-1 Item Number I.2.3(1), App 2-1 Item Number VI.4.1(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Security measures for an in-store branch must be appropriate for the condition of facilities in the store and the staffing structure of the in-store branch. (P125.3. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The regulated user should have sufficient, qualified staff with relevant experience for planning, operating, consulting on applications, and monitoring computerized systems. (¶ 22.1, Good Practices For Computerized systems In Regulated GXP Environments)
  • Implement adequate supervisory practices in the IT function to ensure that roles and responsibilities are properly exercised, to assess whether all personnel have sufficient authority and resources to execute their roles and responsibilities, and to generally review KPIs. (PO4.10 Supervision, CobiT, Version 4.1)
  • Evaluate staffing requirements on a regular basis or upon major changes to the business, operational or IT environments to ensure that the IT function has sufficient resources to adequately and appropriately support the business goals and objectives. (PO4.12 IT Staffing, CobiT, Version 4.1)
  • Assign responsibility for the performance of the quality assurance (QA) function and provide the QA group with appropriate QA systems, controls and communications expertise. Ensure that the organisational placement and the responsibilities and size of the QA group satisfy the requirements of the org… (PO4.7 Responsibility for IT Quality Assurance, CobiT, Version 4.1)
  • Maintain IT personnel recruitment processes in line with the overall organisation's personnel policies and procedures (e.g., hiring, positive work environment, orienting). Implement processes to ensure that the organisation has an appropriately deployed IT workforce with the skills necessary to achi… (PO7.1 Personnel Recruitment and Retention, CobiT, Version 4.1)
  • determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; (§ 7.2 ¶ 1 a), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • determine the necessary competence of person(s) doing work under its control that affects its performance, (§ 7.2 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization's AI capacity, knowledge level and ability to mitigate realized AI risks should be considered when deciding its AI risk appetite. (§ 6.3.4 Table 4 Column 2 Row 7 Bullet 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • The use of AI systems can result in changes to the number of human resources needed to realize a certain capability, or in a variation of the type of resources needed, for instance, deskilling or loss of expertise where human decision-making is increasingly supported by AI systems. (§ 5.4.1 Table 3 Column 2 Row 7 Bullet 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • determine the necessary competence of person(s) doing work under its control that affects its IT asset performance, IT asset management performance and IT asset management system performance; (Section 7.2 ¶ 1 bullet 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Nature and degree of judgment and limitations of authority to be applied to a specific position. (Establishing and Evaluating Competence ¶ 2 Bullet 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Verify the organization has identified the staffing requirements and they are approved by the appropriate personnel. (Ques. AT408, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Technical Surveillance Countermeasure personnel shall be staffed at a level that is commensurate with annual tasking, in addition to a reasonable contingency surge requirement. (§ 10.a, SECNAV Instruction 3850.4, Technical Surveillance Countermeasures (TSCM) Program)
  • The Incident Management System has national standards for the qualification and certification of emergency response personnel. These standards ensure the personnel meet the necessary minimum knowledge, skills, and experience required. (Chap III.B.2.c, National Incident Management System (NIMS), Department of Homeland Security, December 2008)
  • Processes are in place to identify additional expertise needed to improve information security defenses. (Domain 1: Assessment Factor: Resources, STAFFING Baseline 1 ¶ 2, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Personnel. (App A Objective 4:5 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine the institution's ability to attract and retain a competent workforce and the ability of HR management to effectively meet the requirements for IT and the lines of business that IT supports. (App A Objective 5:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Staffing levels are appropriate. (App A Objective 5:2 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine if the IT audit staff is adequate in number and is technically competent to accomplish its mission. Consider ▪ IT audit personnel qualifications and compare them to the job descriptions; ▪ Whether staff competency is commensurate with the technology in use at the institution; and ▪ T… (Exam Tier I Obj 4.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should have the proper expertise to make decisions about e-banking and network security. (Pg A-3, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Review the corporate and Information Technology (IT) departmental organization charts to determine if: ▪ The organizational structure provides for effective IT support throughout the organization, ▪ IT management reports directly to senior level management, ▪ The IT department's responsibiliti… (Exam Obj 2.1, FFIEC IT Examination Handbook - Management)
  • Operations management should ensure the organization has the proper staffing in terms of experience, numbers, and skills. (Pg 4, FFIEC IT Examination Handbook - Operations, July 2004)
  • The adequacy of staffing levels for peak operating periods. (App A Tier 1 Objectives and Procedures Objective 1:3 Bullet 2 Sub-Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Whether the institution has appropriate depth of management and staff. (App A Tier 1 Objectives and Procedures Objective 1:3 Bullet 2 Sub-Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Sufficiency of staff. (App A Tier 2 Objectives and Procedures N.3 Bullet 1 Sub-Bullet 3, Sub-Sub Bullet 7, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine whether the financial institution provides or plans to provide customer technical service or support to the RDC customers. If yes, discuss whether the financial institution considered the need for, or has added, additional staff. (App A Tier 2 Objectives and Procedures N.10 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Coordinate with organizational manpower stakeholders to ensure appropriate allocation and distribution of human capital assets. (T0356, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Establish manpower, personnel, and qualification data element standards to support cyber workforce management and reporting requirements. (T0375, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Maintain awareness of internal and external cyber organization structures, strengths, and employments of staffing and technology. (T0642, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Establish manpower, personnel, and qualification data element standards to support cyber workforce management and reporting requirements. (T0375, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Maintain awareness of internal and external cyber organization structures, strengths, and employments of staffing and technology. (T0642, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Coordinate with organizational manpower stakeholders to ensure appropriate allocation and distribution of human capital assets. (T0356, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Management should clearly state its commitment to hiring competent personnel and support the organization's policy for hiring new personnel. (§ II.A, OMB Circular A-123, Management's Responsibility for Internal Control)
  • The auditor should evaluate the objectivity and level of competence of the individuals performing the work of others. The factors the auditor should use in determining objectivity include the organizational status of the individual performing the work and policies prohibiting individuals performing … (¶ 117 thru ¶ 121, PCAOB Auditing Standard No. 2)