Back

Document and communicate role descriptions to all applicable personnel.


CONTROL ID
00776
CONTROL TYPE
Establish Roles
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish and maintain the staff structure in line with the strategic plan., CC ID: 00764

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Senior management should establish an effective organisation of IT functions to deliver technology services and to provide day-to-day technology support to business units. A clear IT organisation structure and related job descriptions of individual IT functions should be documented and approved by s… (2.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The contents of these regulations must be communicated to the personnel responsible for security measures (including external staff) according to their roles and responsibilities. Refer to [C14] for information on security training. (C1.5., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • All defined and documented responsibilities and accountabilities must be established and communicated to all relevant personnel and management. Some of the major ones include: (Critical components of information security 4) ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Accountability for security is increased through clear job descriptions, employment agreements and policy awareness acknowledgements. It is important to communicate the general and specific security roles and responsibilities for all employees within their job descriptions. The job descriptions for … (Critical components of information security 1) 3), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • that the risk responsibilities and roles are clearly communicated, allocated and embedded in all relevant parts (e.g. business lines, IT) and processes of the organisation, including the roles and responsibilities for gathering and aggregating the risk information and reporting it to senior manageme… (Title 3 3.3.2 50.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • All personnel should be defined responsibilities for their assigned duties. (¶ 2, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • The cloud provider has documented any function separation conflicts and the compensating controls established for this purpose comprehensibly (e. g. in a role and rights concept) to allow for an assessment of the appropriateness and effectiveness of these controls. (Section 5.1 OIS-04 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Are written job descriptions available to all outsourced personnel who have access to sensitive information? (Table Row II.46, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The different areas of responsibility should be written down and understandable to all staff. (¶ 22.3, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization should have written job descriptions for staff that address requirements pertinent to the scope of the positions' roles and responsibilities regarding appropriate licensure/certification requirements. (CORE - 25(c), URAC Health Utilization Management Standards, Version 6)
  • Establish and communicate roles and responsibilities for IT personnel and end users that delineate between IT personnel and end-user authority, responsibilities and accountability for meeting the organisation's needs. (PO4.6 Establishment of Roles and Responsibilities, CobiT, Version 4.1)
  • Define, implement and maintain procedures for IT operations, ensuring that the operations staff members are familiar with all operations tasks relevant to them. Operational procedures should cover shift handover (formal handover of activity, status updates, operational problems, escalation procedure… (DS13.1 Operations Procedures and Instructions, CobiT, Version 4.1)
  • Communication exists between management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives. (§ 3 Principle 14 Points of Focus: Communicates with the Board of Directors, COSO Internal Control - Integrated Framework (2013))
  • A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities. (§ 3 Principle 14 Points of Focus: Communicates Internal Control Information, COSO Internal Control - Integrated Framework (2013))
  • Local information security co-ordinators shall have a clear understanding of their roles and responsibilities (e.g., by including details in their job description). (CF.12.02.03a, The Standard of Good Practice for Information Security)
  • Information Security responsibilities for all staff throughout the organization should be specified in job descriptions. (CF.02.01.01-1, The Standard of Good Practice for Information Security)
  • Local information security co-ordinators shall have a clear understanding of their roles and responsibilities (e.g., by including details in their job description). (CF.12.02.03a, The Standard of Good Practice for Information Security, 2013)
  • Information Security responsibilities for all staff throughout the organization should be specified in job descriptions. (CF.02.01.01-1, The Standard of Good Practice for Information Security, 2013)
  • Make employees aware of their roles and responsibilities for maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations. (HRS-13, Cloud Controls Matrix, v4.0)
  • This should not be seen as absolving other levels of management of their compliance responsibilities, as all managers have a role to play with respect to the compliance management system. It is therefore important that their respective responsibilities are clearly set out and included in their job d… (§ 5.3.2 ¶ 5, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • promoting the inclusion of compliance responsibilities into job descriptions and employee performance management processes; (§ 5.3.4 ¶ 2 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • ensuring compliance is factored into job descriptions; (§ 5.3.5 ¶ 1 h), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • their own role during disruptive incidents. (§ 7.3 ¶ 1 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • In addition to the control given by ISO/IEC 27002, all organizations whose staff members are involved in processing personal health information should document such involvement in relevant job descriptions. Security roles and responsibilities, as laid down in the organization's information security … (§ 7.1.2 Health-specific control ¶ 1, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • The organization should provide the necessary authority, training, time, resources, and skills to all personnel so they can fulfill their roles. (App A § A.3.2, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • ensure that compliance responsibilities are included in job descriptions as appropriate; (§ 5.1.1 ¶ 2 bullet 5, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Top management shall ensure that the responsibilities and authorities for relevant roles within the OH&S management system are assigned and communicated at all levels within the organization and maintained as documented information. Workers at each level of the organization shall assume responsibili… (§ 5.3 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • Top management shall ensure that the responsibilities and authorities for relevant roles are assigned, communicated and understood within the organization. (5.3 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • ensure that compliance responsibilities are included in job descriptions as appropriate; (§ 5.1.1 ¶ 2 bullet 5, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • their contribution to the effectiveness of the IT asset management system, including the benefits of improved IT asset management performance; (Section 7.3 ¶ 1 bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • their work activities, the associated risks and opportunities and how they relate to each other; and (Section 7.3 ¶ 1 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • roles, responsibilities and authority; (§ 7.4 Guidance ¶ 2(e), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The cloud service provider should agree and document an appropriate allocation of information security roles and responsibilities with its cloud service customers, its cloud service providers, and its suppliers. (§ 6.1.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities. (CC2.2 ¶ 3 Bullet 1 Communicates Internal Control Information, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities… (CC2.2 ¶ 4 Bullet 1 Communicates Responsibilities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The human resource function helps promote competence by assisting management in developing job descriptions and roles and responsibilities, facilitating training, and evaluating individual performance for managing risk. Management considers the following factors when developing competence requiremen… (Establishing and Evaluating Competence ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization should establish personnel qualifications for those responsible for protecting the security and privacy of personal information. (Table Ref 1.2.9, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should develop formal job descriptions for internal personnel responsible for protecting the security and privacy of personal information. (Table Ref 1.2.9, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities. (CC2.2 Communicates Internal Control Information, Trust Services Criteria)
  • Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities… (CC2.2 Communicates Responsibilities, Trust Services Criteria)
  • A process is in place to communicate required information to enable all personnel to understand and carry out their internal control responsibilities. (CC2.2 ¶ 3 Bullet 1 Communicates Internal Control Information, Trust Services Criteria, (includes March 2020 updates))
  • Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities… (CC2.2 ¶ 4 Bullet 1 Communicates Responsibilities, Trust Services Criteria, (includes March 2020 updates))
  • Information necessary for designing, developing, implementing, operating, maintaining, and monitoring controls, relevant to the [insert the principle(s) addressed by the engagement: security, availability, processing integrity, confidentiality, or privacy, or any combination thereof] of the system, … (CC2.4, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • The responsibilities of internal and external users and others whose roles affect system operation are communicated to those parties. (CC2.3, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • The organization must establish, in writing, all required Information Assurance roles, including duties and appointment criteria, such as security clearance, training, and Information Technology designation. (DCSD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Any other responsibility for the AC promulgated by the FBI. (§ 3.2.7 ¶ 1(10), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Any other responsibility for the AC promulgated by the FBI. (§ 3.2.7 ¶ 1 10., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Validating that personnel understand their business continuity roles. (App A Objective 2:5c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Maintains updated job descriptions in writing. (App A Objective 5:3 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review and evaluate written job descriptions to ensure that management performs the following: (App A Objective 5:3, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Effectiveness of policies and procedures outlining department duties, including job descriptions. (App A Tier 1 Objectives and Procedures Objective 3:4 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Describe the process, the financial institution staff involved, and the decision criteria the financial institution uses to conduct a due diligence review to qualify potential customers for the RDC delivery system. Consider the following: (App A Tier 2 Objectives and Procedures N.3 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The function and level of the financial institution's staff who conduct the due diligence, and those who have the authority to approve a customer for RDC; (App A Tier 2 Objectives and Procedures N.3 Bullet 1 Sub-Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Incorporate security and privacy roles and responsibilities into organizational position descriptions. (PS-9 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Incorporate security and privacy roles and responsibilities into organizational position descriptions. (PS-9 Control, FedRAMP Security Controls Low Baseline, Version 5)
  • Incorporate security and privacy roles and responsibilities into organizational position descriptions. (PS-9 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Incorporate security and privacy roles and responsibilities into organizational position descriptions. (PS-9 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Incorporate security and privacy roles and responsibilities into organizational position descriptions. (PS-9 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Incorporate security and privacy roles and responsibilities into organizational position descriptions. (PS-9 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develop and implement standardized position descriptions based on established cyber work roles. (T0362, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization's role(s) in the data processing ecosystem are identified and communicated. (ID.BE-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Develop and implement standardized position descriptions based on established cyber work roles. (T0362, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Incorporate security and privacy roles and responsibilities into organizational position descriptions. (PS-9 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Incorporate security and privacy roles and responsibilities into organizational position descriptions. (PS-9 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated (Roles, Responsibilities, and Authorities (GV.RR), The NIST Cybersecurity Framework, v2.0)
  • Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced (GV.RR-02, The NIST Cybersecurity Framework, v2.0)
  • Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally (GV.SC-02, The NIST Cybersecurity Framework, v2.0)