Back

Establish job categorization criteria, job recruitment criteria, and promotion criteria.


CONTROL ID
00781
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Human Resources management, CC ID: 00763

This Control has the following implementation support Control(s):
  • Refrain from using employees' privacy choices to restrict employment., CC ID: 12425
  • Use rewards and career development to motivate personnel., CC ID: 06906
  • Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria., CC ID: 12825
  • Recognize personnel who reinforce desirable conduct with incentives., CC ID: 12815
  • Establish, implement, and maintain a compensation, reward, and recognition program., CC ID: 12806
  • Include a space to explain employment gaps on the job application., CC ID: 12303
  • Include a space for previous addresses and previous residences on the job application., CC ID: 12302
  • Include a space for past aliases and other used names on job applications., CC ID: 12301


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The nomination committee should investigate the backgrounds of potential new directors. The Board of Directors should ensure that new directors are qualified. (¶ 2.4.8, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • Requirements relating to recruitment and selection of qualified staff and external contractors that define the framework for vetting and monitoring of personnel, taking into account the information security risk (Critical components of information security 1) 2) o., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The policy framework should define the vetting and monitoring process for recruiting and selecting Information Technology staff members and contractors. (¶ 27(h), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • recruitment and selection of IT staff and contractors that defines the framework for vetting and monitoring of personnel, taking into account IT security risk; and (¶ 27(h), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Part I ¶ 18: The organization must clearly make the requirement for baseline personnel security standard (BPSS) checks and what personal information will be used for in the recruitment literature, job advertisements, and information packs. The applicants must be reminded that if they supply false i… (Part I ¶ 18, Part I ¶ 19, Part II ¶ 4, HMG BASELINE PERSONNEL SECURITY STANDARD, GUIDANCE ON THE PRE-EMPLOYMENT SCREENING OF CIVIL SERVANTS, MEMBERS OF THE ARMED FORCES, TEMPORARY STAFF AND GOVERNMENT CONTRACTORS, Version 3, February 2001)
  • A person must not, in association with the recruitment of an employee, the continued employment of an employee, or a contract for providing services to him/her, require the person or third party to provide or produce a relevant record. Table 56(6) lists what are considered relevant records. (§ 56(1), UK Data Protection Act of 1998)
  • The entity establishes qualifications for personnel responsible for protecting the privacy and security of PI and assigns such responsibilities only to those personnel who meet these qualifications and who have received training. (M1.2 Qualifications of internal personnel, Privacy Management Framework, Updated March 1, 2020)
  • Maintain IT personnel recruitment processes in line with the overall organisation's personnel policies and procedures (e.g., hiring, positive work environment, orienting). Implement processes to ensure that the organisation has an appropriately deployed IT workforce with the skills necessary to achi… (PO7.1 Personnel Recruitment and Retention, CobiT, Version 4.1)
  • Regularly verify that personnel have the competencies to fulfil their roles on the basis of their education, training and/or experience. Define core IT competency requirements and verify that they are being maintained, using qualification and certification programmes where appropriate. (PO7.2 Personnel Competencies, CobiT, Version 4.1)
  • The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. (§ 3 Principle 4 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • IT auditors are usually more mobile than traditional auditors, so Chief Audit Executive's (CAEs) need to be creative in their retention strategies. The following are some areas that can be used by the CAE to support retention goals: consider bonuses tied to specific certifications; rotate personnel … (§ 6.2 (IT Auditor Retention Strategy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • determine the necessary competence of person(s) doing work under its control that affects its environmental performance and its ability to fulfil its compliance obligations; (§ 7.2 ¶ 1 a), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • Persons assigned a role related to the EMS must be competent to perform that role. This includes employees and contractors whose work can affect the organization's environmental performance or compliance obligations. An organization should determine the necessary competence for such a specific role … (§ 5.7 ¶ 3, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • determine the necessary competence of employee(s) doing work under its control that affects its compliance management system performance; (§ 7.2.1 ¶ 1 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The service provider shall determine the necessary competence requirements for all personnel. (§ 4.4.2 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • determine the necessary competence of person(s) doing work under its control that affects its business continuity performance; (§ 7.2 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • determine the necessary competence of person(s) doing work under its control that affects its compliance performance; (§ 7.2.1 ¶ 1 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • determine the necessary competence of person(s) doing work under its control that affects its compliance performance; (§ 7.2.1 ¶ 1 bullet 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Knowledge, skills, and experience with enterprise risk management. (Establishing and Evaluating Competence ¶ 2 Bullet 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The costs and benefits of different skill levels and experience. (Establishing and Evaluating Competence ¶ 2 Bullet 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Attract: Seek out the necessary number of candidates who fit the entity's desired risk-aware culture, desired behaviors, operating style, and organizational needs, and who have the competence for the proposed roles. (Attracting, Developing, and Retaining Individuals ¶ 1 Bullet 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The human resource practices for hiring, training, evaluating, promoting, and compensating should be used to reach the expected levels of integrity, ethical behavior, and competence. (Pg 26, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • Verify that the organization has addressed compensation, performance evaluation, and advancement, in order to demonstrate its overarching commitment to Quality Control. (Ques. AT402(b), Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. (CC1.4 COSO Principle 4:, Trust Services Criteria)
  • The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. (CC1.4 ¶ 1 COSO Principle 4:, Trust Services Criteria, (includes March 2020 updates))
  • The organization must designate a sensitivity level and risk designation for every personnel position that has access to CMS sensitive information processing. The organization must review and revise the risk designations annually. The organization must have documentation for supporting the security … (CSR 2.5.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Determine whether management has processes for employee recruitment, hiring, and placement and provides for thorough applicant screening and background checks at the time of employment. Review the following and evaluate their effectiveness: (App A Objective 14:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Job descriptions are reasonable and represent actual practice. (App A Objective 5:2 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Along with the IT audit and compliance departments, the HR department can serve as an influencing function for IT. Determine the adequacy of the institution's HR function to ensure its ability to attract and retain a competent workforce. (App A Objective 5, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The organization should have plans in place to ensure staff members have the skills and expertise to complete their jobs. (Pg 12, FFIEC IT Examination Handbook - Management)
  • (SP-4.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The organization must assign risk designations for all positions and develop screening criteria for all positions. (§ 5.6.11, Exhibit 4 PS-2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and in… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure risk designations are established and assigned for all positions; risk designations are regularly reviewed and updated; screening criteria are followed; and specific responsibilities and actions are defined for the implementation of t… (PS-2, PS-2.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Establish and oversee waiver processes for cyber career field entry and training qualification requirements. (T0373, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and review recruiting, hiring, and retention procedures in accordance with current HR policies. (T0363, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must assign each position a risk designation. (SG.PS-2 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the position risk designations on a defined frequency. (SG.PS-2 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must assign a risk designation to all positions. (App F § PS-2.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must review and revise position risk designations on a predefined frequency. (App F § PS-2.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Develop and review recruiting, hiring, and retention procedures in accordance with current HR policies. (T0363, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish and oversee waiver processes for cyber career field entry and training qualification requirements. (T0373, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization assigns a risk designation to all organizational positions. (PS-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization assigns a risk designation to all organizational positions. (PS-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization assigns a risk designation to all organizational positions. (PS-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization assigns a risk designation to all organizational positions. (PS-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)