This Control has the following implementation support Control(s):
Establish, implement, and maintain a compensation, reward, and recognition program., CC ID: 12806
Refrain from using employees' privacy choices to restrict employment., CC ID: 12425
Refrain from using employees' privacy choices to take punitive actions., CC ID: 16815
Use rewards and career development to motivate personnel., CC ID: 06906
Disseminate and communicate the organizationâs ethical culture in job recruitment criteria and promotion criteria., CC ID: 12825
Recognize personnel who reinforce desirable conduct with incentives., CC ID: 12815
Establish, implement, and maintain job applications., CC ID: 16180
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The nomination committee should investigate the backgrounds of potential new directors. The Board of Directors should ensure that new directors are qualified. (¶ 2.4.8, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
Requirements relating to recruitment and selection of qualified staff and external contractors that define the framework for vetting and monitoring of personnel, taking into account the information security risk (Critical components of information security 1) 2) o., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Once ASD officially endorses an applicant, they will be notified in writing. Applicants must not identify themselves as IRAP assessors until they have received official endorsement from ASD. (23., IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
The policy framework should define the vetting and monitoring process for recruiting and selecting Information Technology staff members and contractors. (¶ 27(h), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
recruitment and selection of IT staff and contractors that defines the framework for vetting and monitoring of personnel, taking into account IT security risk; and (¶ 27(h), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
Part I ¶ 18: The organization must clearly make the requirement for baseline personnel security standard (BPSS) checks and what personal information will be used for in the recruitment literature, job advertisements, and information packs. The applicants must be reminded that if they supply false i… (Part I ¶ 18, Part I ¶ 19, Part II ¶ 4, HMG BASELINE PERSONNEL SECURITY STANDARD, GUIDANCE ON THE PRE-EMPLOYMENT SCREENING OF CIVIL SERVANTS, MEMBERS OF THE ARMED FORCES, TEMPORARY STAFF AND GOVERNMENT CONTRACTORS, Version 3, February 2001)
A person must not, in association with the recruitment of an employee, the continued employment of an employee, or a contract for providing services to him/her,
require the person or third party to provide or produce a relevant record. Table 56(6) lists what are considered relevant records. (§ 56(1), UK Data Protection Act of 1998)
The entity establishes qualifications for personnel responsible for protecting the privacy and security of PI and assigns such responsibilities only to those personnel who meet these qualifications and who have received training. (M1.2 Qualifications of internal personnel, Privacy Management Framework, Updated March 1, 2020)
The number of workers who are not employees and whose work is controlled by the organization, including the types of worker (e.g., agency workers, contractors, self-employed persons, volunteers), their contractual relationship with the organization (i.e., whether the organization engages these worke… (§ 1. Step 1. Activities ¶ 1 Bullet 6, GRI 3: Material Topics 2021)
Maintain IT personnel recruitment processes in line with the overall organisation's personnel policies and procedures (e.g., hiring, positive work environment, orienting). Implement processes to ensure that the organisation has an appropriately deployed IT workforce with the skills necessary to achi… (PO7.1 Personnel Recruitment and Retention, CobiT, Version 4.1)
Regularly verify that personnel have the competencies to fulfil their roles on the basis of their education, training and/or experience. Define core IT competency requirements and verify that they are being maintained, using qualification and certification programmes where appropriate. (PO7.2 Personnel Competencies, CobiT, Version 4.1)
The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. (§ 3 Principle 4 ¶ 1, COSO Internal Control - Integrated Framework (2013))
IT auditors are usually more mobile than traditional auditors, so Chief Audit Executive's (CAEs) need to be creative in their retention strategies. The following are some areas that can be used by the CAE to support retention goals: consider bonuses tied to specific certifications; rotate personnel … (§ 6.2 (IT Auditor Retention Strategy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; (§ 7.2 ¶ 1 a), ISO 14001:2015 - Environmental management systems â Requirements with guidance for use, Third Edition)
Persons assigned a role related to the EMS must be competent to perform that role. This includes employees and contractors whose work can affect the organization's environmental performance or compliance obligations. An organization should determine the necessary competence for such a specific role … (§ 5.7 ¶ 3, ISO 14005:2019, Environmental management systems â Guidelines for a flexible approach to phased implementation, Second Edition)
determine the necessary competence of employee(s) doing work under its control that affects its compliance management system performance; (§ 7.2.1 ¶ 1 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
The service provider shall determine the necessary competence requirements for all personnel. (§ 4.4.2 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
determine the necessary competence of person(s) doing work under its control that affects its business continuity performance; (§ 7.2 ¶ 1 a), ISO 22301:2019, Security and resilience â Business continuity management systems â Requirements, Second Edition)
determine the necessary competence of person(s) doing work under its control that affects its compliance performance; (§ 7.2.1 ¶ 1 bullet 1, ISO 37301:2021 Compliance management systems â Requirements with guidance for use, First Edition, Edition 1)
determine the necessary competence of person(s) doing work under its control that affects its compliance performance; (§ 7.2.1 ¶ 1 bullet 1, ISO/DIS 37301, Compliance management systems â Requirements with guidance for use, DRAFT)
For U.S. employees, the entity shall categorize the employees in accordance with the Equal Employment Opportunity Commission's Employer Information EEO-1 report (EEO-1 Survey) Instruction Booklet, where each employee category for disclosure is defined by corresponding job categories and descriptions… (TC-IM-330a.3. 3, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
For non-U.S. employees, the entity shall categorize the employees in a manner generally consistent with the definitions provided above, though in accordance with, and further facilitated by, any applicable local regulations, guidance, or generally accepted definitions. (TC-IM-330a.3. 4, Internet Media & Services Sustainability Accounting Standard, Version 2018-10, Version 2018-10)
For U.S. employees, the entity shall categorize the employees in accordance with the Equal Employment Opportunity Commission's Employer Information EEO-1 report (EEO-1 Survey) Instruction Booklet, where each employee category for disclosure is defined by corresponding job categories and descriptions… (TC-SI-330a.3. 3, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
For non-U.S. employees, the entity shall categorize the employees in a manner generally consistent with the definitions provided above, though in accordance with, and further facilitated by, any applicable local regulations, guidance, or generally accepted definitions. (TC-SI-330a.3. 4, Software & IT Services Sustainability Accounting Standard, Version 2018-10)
The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. (CC1.4 ¶ 1 COSO Principle 4:, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus â 2022))
Knowledge, skills, and experience with enterprise risk management. (Establishing and Evaluating Competence ¶ 2 Bullet 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
The costs and benefits of different skill levels and experience. (Establishing and Evaluating Competence ¶ 2 Bullet 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
Attract: Seek out the necessary number of candidates who fit the entity's desired risk-aware culture, desired behaviors, operating style, and organizational needs, and who have the competence for the proposed roles. (Attracting, Developing, and Retaining Individuals ¶ 1 Bullet 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
The human resource practices for hiring, training, evaluating, promoting, and compensating should be used to reach the expected levels of integrity, ethical behavior, and competence. (Pg 26, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
Verify that the organization has addressed compensation, performance evaluation, and advancement, in order to demonstrate its overarching commitment to Quality Control. (Ques. AT402(b), Reporting on Controls at a Service Organization Checklist, PRP §21,100)
The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. (CC1.4 COSO Principle 4:, Trust Services Criteria)
The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. (CC1.4 ¶ 1 COSO Principle 4:, Trust Services Criteria, (includes March 2020 updates))
The organization must designate a sensitivity level and risk designation for every personnel position that has access to CMS sensitive information processing. The organization must review and revise the risk designations annually. The organization must have documentation for supporting the security … (CSR 2.5.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Determine whether management has processes for employee recruitment, hiring, and placement and provides for thorough applicant screening and background checks at the time of employment. Review the following and evaluate their effectiveness: (App A Objective 14:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following:
- Establishing, implementing, and enforcing IT policies, standards, and procedures.
- Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
Job descriptions are reasonable and represent actual practice. (App A Objective 5:2 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
Along with the IT audit and compliance departments, the HR department can serve as an influencing function for IT. Determine the adequacy of the institution's HR function to ensure its ability to attract and retain a competent workforce. (App A Objective 5, FFIEC Information Technology Examination Handbook - Management, November 2015)
The organization should have plans in place to ensure staff members have the skills and expertise to complete their jobs. (Pg 12, FFIEC IT Examination Handbook - Management)
(SP-4.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
Management should demonstrate a commitment to recruit, develop, and retain competent individuals. (4.01, Standards for Internal Control in the Federal Government)
The organization must assign risk designations for all positions and develop screening criteria for all positions. (§ 5.6.11, Exhibit 4 PS-2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
Organizational records and documents should be examined to ensure risk designations are established and assigned for all positions; risk designations are regularly reviewed and updated; screening criteria are followed; and specific responsibilities and actions are defined for the implementation of t… (PS-2, PS-2.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
Establish and oversee waiver processes for cyber career field entry and training qualification requirements. (T0373, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Develop and review recruiting, hiring, and retention procedures in accordance with current HR policies. (T0363, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
The organization must assign each position a risk designation. (SG.PS-2 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must review and update the position risk designations on a defined frequency. (SG.PS-2 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization must assign a risk designation to all positions. (App F § PS-2.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
The organization must review and revise position risk designations on a predefined frequency. (App F § PS-2.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Develop and review recruiting, hiring, and retention procedures in accordance with current HR policies. (T0363, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Establish and oversee waiver processes for cyber career field entry and training qualification requirements. (T0373, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The organization assigns a risk designation to all organizational positions. (PS-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization assigns a risk designation to all organizational positions. (PS-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization assigns a risk designation to all organizational positions. (PS-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization assigns a risk designation to all organizational positions. (PS-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
