This Control directly supports the implied Control(s):
Define and assign workforce roles and responsibilities., CC ID: 13267
This Control has the following implementation support Control(s):
Assign cybersecurity reporting responsibilities to qualified personnel., CC ID: 12739
Assign responsibility for cyber threat intelligence., CC ID: 12746
Assign the role of security management to applicable controls., CC ID: 06444
Define and assign the data processor's roles and responsibilities., CC ID: 12607
Define and assign the data controller's roles and responsibilities., CC ID: 00471
Assign the role of Information Technology operations to applicable controls., CC ID: 00682
Assign the role of logical access control to applicable controls., CC ID: 00772
Assign the role of asset physical security to applicable controls., CC ID: 00770
Assign the role of data custodian to applicable controls., CC ID: 04789
Assign the role of the Quality Management committee to applicable controls., CC ID: 00769
Assign the roles and responsibilities for the asset management system., CC ID: 14368
Assign personnel to a crime prevention unit and announce the members of the unit., CC ID: 06348
Assign the role of fire protection management to applicable controls., CC ID: 04891
Assign the role of Information Technology Service Continuity Management to applicable controls., CC ID: 04894
Assign the role of the Computer Emergency Response Team to applicable controls., CC ID: 04895
Assign the role of CRYPTO custodian to applicable controls., CC ID: 06723
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Appropriate personnel should be assigned with the responsibility for technology recovery. Alternate personnel needs to be identified for key technology recovery personnel in case of their unavailability to perform the recovery process. (4.4.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
Senior management should establish an effective organisation of IT functions to deliver technology services and to provide day-to-day technology support to business units. A clear IT organisation structure and related job descriptions of individual IT functions should be documented and approved by s… (2.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 â 24.06.03)
App 2-1 Item Number I.2.2(1): Top management must define the roles and responsibilities of the information system department and provide it with the appropriate authority and responsibility. This is a control item that constitutes a greater risk to financial information. This is a company-level IT c… (App 2-1 Item Number I.2.2(1), App 2-1 Item Nuimber VI.4.1(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
All personnel must be provided with orientation in order to fully understand their assigned responsibilities and authority. This is a control item that constitutes a greater risk to financial information. This is a company-level IT control. (App 2-1 Item Number VI.4.1(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
Management should ensure that company-wide job descriptions and individual procedure manuals are developed on an as needed basis. (Practice Standard § I.5(1), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
The policy framework should include all information technology security roles and responsibilities. (¶ 27(i), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
The policy framework should might include the information technology security Risk Management Framework roles, e.g., compliance monitoring, training and awareness, maintenance, ongoing review. (¶ 27(i)(i), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
The policy framework might include Information Technology asset-specific roles, e.g., custodians, owners, end-users. (¶ 27(i)(iii), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
The policy framework might include compliance roles, Risk Management roles, and assurance roles. (¶ 27(i)(iv), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
The policy framework might include a formal governance function and reporting mechanism for assessing the effectiveness of the information technology security Risk Management Framework. (¶ 27(i)(v), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
IT asset-specific roles: owners, custodians, end-users; (¶ 27(i)(iii), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
All members appointed to the auditing and assurance standards board are required to have knowledge or experience in business, accounting, auditing, law, and/or government. (Sched 1 ¶ 28, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
A financial institution should implement a programme and/or a project governance process that defines roles, responsibilities and accountabilities to effectively support the implementation of the ICT strategy. (3.6.1 61, Final Report EBA Guidelines on ICT and security risk management)
Moreover, every organisation should appoint a Data Protection Officer (bDSB) in the company and/or government agency. Many tasks are similar; thus, ISO and bDSB should cooperate closely. The bDSB, like the ISO, must have the direct right of recitation at any time with the management of the public ag… (§ 4.2 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Every organisation should appoint a Data Protection Officer. In many areas the appointment of a Data Protection Officer even is required by law. Compliance with the data protection requirements also must be ensured in organisations not having appointed a Data Protection Officer. This may also be per… (§ 4.9 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Within the organisation the Information Security Officer should not be allocated to the IT department. Experience shows that this frequently results in that the tasks of information security is reduced to IT safeguarding and the holistic protection of information is moved to the background. This may… (§ 4.4 Subsection 4 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The Management Board must regularly report, in writing (which includes electronic form), to the Supervisory Board on important issues to the organization, such as planning, compliance, and risk management. Any reports that are needed by the Board to make a decision must be submitted to the Superviso… (¶ 3.4, German Corporate Governance Code ("The Code"), June 6, 2008)
The data protection official must be a natural or legal person who has been approved by the Commission Nationale. Approval will be subject to proof of completion of university studies in economics, natural science, law, commercial management, or information technology. Persons who are registered in … (Art 40(6) thru Art 40(9), Law of 2 August 2002 on the Protection of Persons with Regard to the Processing of Personal Data)
The function of the personal data representative is to independently ensure that personal data is processed by the personal data controller, is processed in accordance with the law and good practices, and is done correctly. He/she is also responsible for pointing out inadequacies to the personal dat… (§ 38, § 40, Sweden Personal Data Act (1998:204))
The Supervisory Board Chairperson must ensure all Board members are properly inducted and follow the training programs; ensure all Board members receive information in a timely manner to properly perform their duties; the Board committees function properly; the Board has sufficient time for discussi… (¶ III.4.1, ¶ III.4.2, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
The organization must designate a senior information risk owner; a lead accreditor; an information technology security officer; a communications security officer; and information asset owners. (Mandatory Requirement 35, HMG Security Policy Framework, Version 6.0 May 2011)
The organization should have an operational risk management function that is independent and is responsible for designing and implementing the risk management framework; developing policies and procedures; developing strategies for identifying, controlling, measuring, and monitoring risks; designing… (¶ 666(a), Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
The Board should monitor, select, and compensate key executives. (§ VI.D, OECD Principles of Corporate Governance, 2004)
Does the organization have a Chief Information Security Officer? (Table Row I.7, OECD / World Bank Technology Risk Checklist, Version 7.3)
Who monitors the risk assessments? (Table Row I.14, OECD / World Bank Technology Risk Checklist, Version 7.3)
Define and identify key IT personnel (e.g., replacements/backup personnel), and minimise reliance on a single individual performing a critical job function. (PO4.13 Key IT Personnel, CobiT, Version 4.1)
Establish and communicate roles and responsibilities for IT personnel and end users that delineate between IT personnel and end-user authority, responsibilities and accountability for meeting the organisation's needs. (PO4.6 Establishment of Roles and Responsibilities, CobiT, Version 4.1)
Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization:
â Board of Directors â Retains authority over significant decision… (§ 3 Principle 3 Points of Focus:Defines, Assigns, and Limits Authorities and Responsibilities, COSO Internal Control - Integrated Framework (2013))
Job descriptions and skill sets should have accountabilities, roles, responsibilities, and authorities for the business continuity management policy integrated into them. (§ 5.2.2 ¶ 2, BS 25999-1, Business continuity management. Code of practice, 2006)
The asset protection manager should be a member of the organization's management team and have functional authority. (Revised Volume 1 Pg 2-I-26, Protection of Assets Manual, ASIS International)
The organization should develop clearly written, well-defined job descriptions for all jobs. Job descriptions should state the degree of trustworthiness required for the position. The information systems security manager should review all job descriptions to identify the sensitivity of each job. (Pg 12-II-44, Pg 12-IV-19, Revised Volume 2 Pg 1-IV-7, Protection of Assets Manual, ASIS International)
The security profile shall contain important details about individuals in the local environment (e.g., staff and contractors), including types of individuals operating in the local environment (e.g., regular users, operational staff, individuals with special privileges, and external parties, such as… (CF.12.01.03c, The Standard of Good Practice for Information Security)
The security profile shall contain important details about individuals in the local environment (e.g., staff and contractors), including types of individuals operating in the local environment (e.g., regular users, operational staff, individuals with special privileges, and external parties, such as… (CF.12.01.03c, The Standard of Good Practice for Information Security, 2013)
The Risk Management plan shall include a description of the roles, responsibilities, and activities of the personnel who operate and maintain the medical Information Technology network. (§ 4.3.5 ¶ 1(b), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
Organizational roles, accountabilities and responsibilities. security responsibilities. Management should be responsible for all aspects of security management including risk-management decision-making. Several factors, such as the nature, form of incorporation, size and structure of an organization… (§ 5.1.1, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
Corporate ICT security officer. An organization should assign responsibility for ICT security to a specific individual. The corporate ICT security officer should act as the focus for all ICT security aspects within the organization; however, the corporate ICT security officer may delegate some aspec… (§ 5.1.3, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
Corporate IT Security Policy. To ensure adequate support for all security related measures, the corporate IT security policy should be approved by top management.
Based on the corporate IT security policy, a directive should be written, which is binding for all managers and employees. This may requi… (¶ 7.2, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
The organization shall determine personnel requirements for work that affects product quality and ensure personnel are aware of the job's relevance and importance and how they contribute to achieving quality objectives. (§ 6.2.2(a), § 6.2.2(d), ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
§ 3.2: Top management shall ensure qualified personnel have been assigned for risk management.
§ 8 ¶ 3: The medical device manufacturer should assign responsibility for reviewing the risk management plan to appropriate authority. (§ 3.2, § 8 ¶ 3, ISO 14971:2007 Medical devices -- Application of risk management to medical devices, 2007)
(§ 6.3, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
A member of the service provider's management shall be appointed with the authority and responsibility to ensure service management processes are integrated. (§ 4.1.4 ¶ 1(c), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
who shall monitor and measure; (§ 9.1 ¶ 2 d), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
§ 8.1.1 During the pre-employment process, the security roles and responsibilities of the position should be clearly outlined to the candidate. The security roles of employees, contractors, and third parties should include the following requirements: They should read and follow the information secu… (§ 8.1.1, ISO 27002 Code of practice for information security management, 2005)
The organization should ensure designated individuals have accepted their responsibilities, have the appropriate skills, and have the resources to check and improve controls, monitor risks, and communicate effectively. These requirements are typically stated in job descriptions and should be include… (App A § A.3.2, ISO 31000 Risk management -- Principles and guidelines, 2009)
In addition to the guidance of ISO 31000:2018, 5.4.3, top management and oversight bodies, where applicable, should allocate resources and identify individuals: (§ 5.4.3 ¶ 2, ISO/IEC 23894:2023, Information technology â Artificial intelligence â Guidance on risk management)
who shall monitor and measure; (§ 9.1 ¶ 1 d), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection â Information security management systems â Requirements)
Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. (CC1.3 ¶ 3 Bullet 3 Defines, Assigns, and Limits Authorities and Responsibilities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
The organization should establish job descriptions for all personnel who protect the privacy and security of personal information. (ID 1.2.6, AICPA/CICA Privacy Framework)
Senior managers should be responsible for managing the risks of their units. They should assess and identify risks and develop risk responses. (Pg 94, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
The organization should assign authority, responsibilities, and reporting relationships to individuals. (Pg 25, Pg 26, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. (CC1.3 Defines, Assigns, and Limits Authorities and Responsibilities, Trust Services Criteria)
Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. (CC1.3 ¶ 3 Bullet 3 Defines, Assigns, and Limits Authorities and Responsibilities, Trust Services Criteria, (includes March 2020 updates))
(R 3520, NASD Manual)
Does the information security function identify key Information Technology roles? (§ C.1.10, Shared Assessments Standardized Information Gathering Questionnaire - C. Organizational Security, 7.0)
Key duties should be clearly defined. (§ 2-14.c(1), Army Regulation 380-19: Information Systems Security, February 27, 1998)
The DAA should be responsible for ensuring the security requirements are followed; issuing accreditation statements when security safeguards have been approved; ensuring the safeguards are implemented and maintained; ensuring systems are reviewed whenever significant changes are made; assigning pers… (§ 3-1.b, Army Regulation 380-19: Information Systems Security, February 27, 1998)
The Information System Security Officer should not be responsible for keeping the system operational. (§ 2-14.c(2), Army Regulation 380-19: Information Systems Security, February 27, 1998)
The organization must use a log or standard forms to document the examination of all transferred items and discarded items for sensitive information and that the information has been cleared before release. (CSR 1.3.7, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
CSR 4.3.1: The organization must document the job descriptions to accurately reflect the segregation of duty principles and the assigned duties and responsibilities.
CSR 4.3.2: The organization must include the required technical knowledge, skills, and abilities for successful performance in the doc… (CSR 4.3.1, CSR 4.3.2, CSR 4.6.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
The organization must designate specific employees to be responsible to secure removable storage devices and media that contain sensitive information. (CSR 1.5.6, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI … (§242.1001(c)(1), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
Compliance with the Bank Secrecy Act (BSA) should be incorporated into job descriptions. (Pg 5, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
The information assurance officer must ensure that the Security Administrator (modified the security configuration), the enrollment administrator (enroll or re-enroll users), and the audit administrator (reviews and manages the audit logs) have been assigned in writing. (§ 4.2 ¶ BIO1010, DISA Access Control STIG, Version 2, Release 3)
The information assurance officer must designate personnel who can override false rejections and ensure they have the proper training for implementing the fallback procedures and verifying a user's identity. (§ 4.5.2 ¶ BIO6040, DISA Access Control STIG, Version 2, Release 3)
The organization must establish, in writing, all required Information Assurance roles, including duties and appointment criteria, such as security clearance, training, and Information Technology designation. (DCSD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
The criminal justice information services systems officer shall ensure that each agency with devices that access the criminal justice information services systems has designated a terminal agency coordinator. (§ 3.2.2(2)(d), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The terminal agency coordinator will serve as the point of contact for matters that relate to criminal justice information services information access. (§ 3.2.3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
The terminal agency coordinator is responsible for administering criminal justice information services systems programs at the local agency and overseeing its compliance with criminal justice information services systems policies. (§ 3.2.3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Management shall designate an individual to review and analyze the audit records for indications of unusual activity or inappropriate activity, investigate violations, report findings to appropriate officials, and take the necessary corrective actions. (§ 5.4.3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Ensure the designation of a Terminal Agency Coordinator (TAC) within each agency with devices accessing CJIS systems. (§ 3.2.2 ¶ 1(2)(d), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Ensure each agency having access to CJI has someone designated as the Local Agency Security Officer (LASO). (§ 3.2.2 ¶ 1(2)(e), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
Ensure each agency having access to CJI has someone designated as the Local Agency Security Officer (LASO). (§ 3.2.2 ¶ 1 2.e., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Ensure the designation of a Terminal Agency Coordinator (TAC) within each agency with devices accessing CJIS systems. (§ 3.2.2 ¶ 1 2.d., Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
Determine if the IT audit staff is adequate in number and is technically competent to accomplish its mission. Consider
⪠IT audit personnel qualifications and compare them to the job descriptions; ⪠Whether staff competency is commensurate with the technology in use at the institution; and
⪠T… (Exam Tier I Obj 4.1, FFIEC IT Examination Handbook - Audit, August 2003)
Members of the IT steering committee should have the authority to make decisions for their departments. (Exam Obj 1.3, Exam Obj 2.1, Pg 5, Exam Obj 4.4, FFIEC IT Examination Handbook - Management)
Management should update job descriptions on a routine basis. The job descriptions should include user access rights. (Pg 27, Exam Obj 2.1, FFIEC IT Examination Handbook - Management)
The organization should have clearly defined duties and responsibilities. (Pg 25, FFIEC IT Examination Handbook - Operations, July 2004)
The Board of Directors and senior management should be responsible for overseeing all outsourced relationships. (Pg 3, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
The organization should ensure the roles and responsibilities are defined for staff members and customers involved in retail payment services. (Pg 36, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
An employee or employees should be designated to coordinate the information security program. (§ 314.4(a), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule)
(SC-1.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
¶ 260.42 discusses how control environment risk factors are dictated by management's attitude, philosophy, and operating style. Management's philosophy and operating style encompass a broad range of beliefs, concepts, and attitudes. Such characteristics may include management's approach to taking a… (§ 260.42, § 260.43, § 260.43.b, § 295.04, GAO/PCIE Financial Audit Manual (FAM))
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Designate individuals authorized to make information publicly accessible; (AC-22a., FedRAMP Security Controls High Baseline, Version 5)
Designate individuals authorized to make information publicly accessible; (AC-22a., FedRAMP Security Controls Low Baseline, Version 5)
Designate individuals authorized to make information publicly accessible; (AC-22a., FedRAMP Security Controls Moderate Baseline, Version 5)
Is the responsibility for managing routers assigned to a specific person? (IT - Routers Q 14, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Implement a procedure specifying who can authorize personnel to work with ePHI or in a location where it might be accessed. (§ 4.3.1 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
§ 4.2.2 Bullet 1: Document the assignment of final responsibility for security in a job description.
§ 4.3.2 Bullet 1: Define roles and responsibilities for each job function. (§ 4.2.2 Bullet 1, § 4.3.2 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
Designate individuals authorized to make information publicly accessible; (AC-22a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Designate individuals authorized to make information publicly accessible; (AC-22a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Designate individuals authorized to make information publicly accessible; (AC-22a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
The key to forming multidisciplinary C-SCRM teams is breaking down barriers between otherwise disparate functions within the enterprise. Many enterprises begin this process from the top by establishing a working group or council of senior leaders with representation from the necessary and appropriat… (2.3.1. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Designate individuals authorized to make information publicly accessible; (AC-22a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Designate individuals authorized to make information publicly accessible; (AC-22a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Designate individuals authorized to make information publicly accessible; (AC-22a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
(§ 3.6.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
Organizational records and documents should be examined to ensure personnel with information security roles and responsibilities have been identified and documented. (AT-3.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
The keeper of master passwords should be a trusted employee, available during emergencies. Any copies of the master passwords must be stored in a very secure location with limited access. (§ 6.2.7.1 ICS-specific Recommendations and Guidance ¶ 5 Bullet 4, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Owners or operators (e.g., the organization or third parties such as service providers, partners, customers, and developers) and their roles with respect to the systems/products/services and components (e.g., internal or external) that process data are inventoried. (ID.IM-P2, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
The organization must designate an individual to post information on an organizational, publicly accessible Information System. (App F § AC-22.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization designates individuals authorized to post information onto a publicly accessible information system. (AC-22a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization designates individuals authorized to post information onto a publicly accessible information system. (AC-22a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization designates individuals authorized to post information onto a publicly accessible information system. (AC-22a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization designates individuals authorized to post information onto a publicly accessible information system. (AC-22a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Designate individuals authorized to make information publicly accessible; (AC-22a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Designate individuals authorized to make information publicly accessible; (AC-22a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
The organization should document all personnel at each site, including data processing sites and software development sites. (Pg 34, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
The organization should have the expertise necessary to identify the risks to the system. (Background, ACH (Automated Clearing House) Operating Rules OCC Bulletin 2004-58, December 2004)
At least one key senior manager should have the knowledge and skills to evaluate critically the design, operation and oversight of technology projects. (¶ 26, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
Only authorized personnel should be allowed to sanitize classified media. (§ 4.5, State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal, Revision 2.0)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a., TX-RAMP Security Controls Baseline Level 1)
Designates individuals authorized to post information onto a publicly accessible information system; (AC-22a., TX-RAMP Security Controls Baseline Level 2)
