Back

Assign and staff all roles appropriately.


CONTROL ID
00784
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish and maintain the staff structure in line with the strategic plan., CC ID: 00764

This Control has the following implementation support Control(s):
  • Delegate authority for specific processes, as necessary., CC ID: 06780


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The executive remuneration level should be such that quality executives are attracted, retained, and motivated. (¶ 2.5.1, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • Before launching any Internet banking system or system changes, an adequate application system source code review, which could be risk-based, should be performed. The review should aim at identifying any non-compliance with the relevant application security standards, any source codes that may poten… (§ 5.3.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • App 2-1 Item Number I.2.3(2): The organization must document future human resources and training of personnel needed to computerize the organization. This is a control item that constitutes a relatively small risk to financial information. This is a company-level IT control. App 2-1 Item Number VI.4… (App 2-1 Item Number I.2.3(2), App 2-1 Item Number VI.4.2(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The institution should ensure that the employees of the service provider undertaking any part of the outsourcing arrangement have been assessed to meet the institution's hiring policies for the role they are performing, consistent with the criteria applicable to its own employees. The following are … (5.4.4 ¶ 1, Guidelines on Outsourcing)
  • In discharging its responsibility for information security, an APRA-regulated entity would typically assess the sufficiency of its information security capability. This could include reviewing the adequacy of resourcing, including funding and staffing, timely access to necessary skill sets and the c… (15., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • The management body should ensure that the quantity and skills of financial institutions' staff is adequate to support their ICT operational needs and their ICT and security risk management processes on an ongoing basis and to ensure the implementation of their ICT strategy. The management body shou… (3.2.1 3, Final Report EBA Guidelines on ICT and security risk management)
  • A financial institution should ensure that all areas impacted by an ICT project are represented in the project team and that the project team has the knowledge required to ensure secure and successful project implementation. (3.6.1 65, Final Report EBA Guidelines on ICT and security risk management)
  • the CSIRTs shall be adequately staffed to ensure availability of their services at all times and they shall ensure that their staff is trained appropriately; (Article 11 1 ¶ 1(e), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved … (Art. 39.1.(b), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The Supervisory Board must review the compensation of the Management Board on a regular basis. (¶ 4.2.2, German Corporate Governance Code ("The Code"), June 6, 2008)
  • The institution shall ensure that appropriate staff, in terms of both quality and quantity, are available for information risk management, information security management, IT operations and application development in particular. (II.2.5, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Persons who are appointed as data protection officials must possess specialized knowledge and demonstrate the necessary reliability to perform his/her duties. The appointed person may be from outside the body. Public bodies may appoint an employee from another public body with approval from their su… (§ 4f(2), German Federal Data Protection Act, September 14, 1994)
  • Full-time or part-time data protection officer (9.1 Requirements Bullet 2 Sub-Bullet 3, Information Security Assessment, Version 5.1)
  • The data protection officer must have the necessary qualifications. He/she must keep a list of all processing that is carried out and it must be immediately accessible to persons applying for access. The data protection officer may not be sanctioned for performing his/her duties. If he/she encounter… (Art 22.III, France Data Processing, Data Files and Individual Liberties)
  • The internal data protection officer who holds hold a higher degree in law, information technology, or public administration, or an equivalent qualification, must be appointed or commissioned. He/she will report directly to the head of financial organizations; telecommunications and public utility s… (Art 31/A(1), Hungary Protection of Personal Data and Disclosure of Data of Public Interest)
  • The remuneration of Management Board members must be enough that qualified managers are recruited and retained by the organization. (¶ II.2, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • The personal data protection official must be a natural person who enjoys full legal capacity and meets the integrity preconditions of the first sentence of section 35(4). Integrity will be proven by submitting an extract of the Criminal Register that is not older than 3 months, which the data contr… (§ 19(12), Slovak Republic Protection of Personal Data in Information Systems)
  • Is firewall administration limited to authorized staff? (Table Row V.18, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Is someone responsible for tracking the number of employees with wireless local area networks at home? (Table Row XIII.3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Staff should only be used where they are trained and have the appropriate skills. (¶ 22.2, Good Practices For Computerized systems In Regulated GXP Environments)
  • Define the responsibilities, relationships, authorities and performance criteria of project team members, and specify the basis for acquiring and assigning competent staff members and/or contractors to the project. The procurement of products and services required for each project should be planned … (PO10.8 Project Resources, CobiT, Version 4.1)
  • Define, monitor and supervise roles, responsibilities and compensation frameworks for personnel, including the requirement to adhere to management policies and procedures, the code of ethics, and professional practices. The level of supervision should be in line with the sensitivity of the position … (PO7.3 Staffing of Roles, CobiT, Version 4.1)
  • Define, implement and maintain procedures for IT operations, ensuring that the operations staff members are familiar with all operations tasks relevant to them. Operational procedures should cover shift handover (formal handover of activity, status updates, operational problems, escalation procedure… (DS13.1 Operations Procedures and Instructions, CobiT, Version 4.1)
  • Interview the personnel responsible for managing network components to verify the roles and responsibilities are assigned, as documented. (Testing Procedures § 1.1.5.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance. (§ 3 Principle 5 Points of Focus: Considers Excessive Pressures, COSO Internal Control - Integrated Framework (2013))
  • Resources assigned to planned audits are critical to the effectiveness and efficiency of the audits and it is critical to match needed skills to an appropriate IT auditor. The range of IT audit skill sets needed should be justified to senior management and the audit committee when setting a budget. (§ 6.2 ¶ 1, § 6.2 (Adequate Staffing), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The selection process for individuals entering sensitive positions should be suitable for the position. All staffing decisions should be made in accordance with a detailed job requirements analysis. (Pg 12-II-44, Revised Volume 1 Pg 1-I-6, Protection of Assets Manual, ASIS International)
  • The patch management process should be assigned an owner. (CF.10.01.04c, The Standard of Good Practice for Information Security)
  • Individuals involved in implementing and maintaining business applications, computer systems and networks should be sufficient in number to handle required normal and peak workloads at all times. (CF.02.05.05e, The Standard of Good Practice for Information Security)
  • The information security function should be adequately resourced in terms of the number of staff. (CF.01.02.07a, The Standard of Good Practice for Information Security)
  • Individuals involved in implementing and maintaining business applications, computer systems and networks should be sufficient in number to handle required normal and peak workloads at all times. (CF.02.05.05e, The Standard of Good Practice for Information Security, 2013)
  • The information security function should be adequately resourced in terms of the number of staff. (CF.01.02.07a, The Standard of Good Practice for Information Security, 2013)
  • The patch management process should be assigned an owner. (CF.10.01.03d, The Standard of Good Practice for Information Security, 2013)
  • The organization shall determine what competence is needed for personnel whose work affects product quality. (§ 6.2.2(a), ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • assigning the review and approval of documented information maintained by the organization to individuals with sufficient technical capability and organizational authority; (7.5.3 ¶ 2 Bullet 2, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • define required competence and adequate training; (§ 6.6 ¶ 1 Bullet 6, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • The organization shall verify the roles, responsibilities, and authorities that facilitate implementing the processes and strategic management of lifecycles has been defined, communicated, and integrated. (§ 6.2.1.3(a)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall maintain and manage the skilled personnel needed to staff all projects. (§ 6.2.4.3(c)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall assign personnel to projects based on the project and staff-development needs. (§ 6.2.4.3(c)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The security roles recognized by the system, such as Owner, Auditor, and Administrator, should be specified. The conditions for role assignments should be stated, such as an account cannot have both the Auditor and Administrator roles. Roles that require explicit requests to be assumed should be spe… (§ 13.7, § H.7, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • There should be job descriptions and other statements to define records management roles and responsibilities for personnel. (§ 6.3, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • Compliance should be overseen by a qualified individual that reports independently to senior management. (§ 5.1 ¶ 5, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The governing body remains accountable for all activities of an organization. This accountability cannot be delegated. (§ 4.1 ¶ 4, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. (CC1.3 ¶ 3 Bullet 3 Defines, Assigns, and Limits Authorities and Responsibilities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Management should decide how well tasks need to be accomplished by comparing the organization's strategies and objectives with the implementation and achievement of the objectives. (Pg 23, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • The organization should assign specific privacy related roles and responsibilities. (Table Ref 1.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • In contrast, a deficiency in the operation of a control exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively. A service organization may be able to corr… (¶ 3.102, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • An internal audit function performs assurance and consulting activities designed to evaluate and improve the effectiveness of the service organization's governance, risk management, and internal control processes. Activities similar to those performed by an internal audit function may be conducted b… (¶ 2.132, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. (CC1.3 Defines, Assigns, and Limits Authorities and Responsibilities, Trust Services Criteria)
  • Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance. (CC1.5 Considers Excessive Pressures, Trust Services Criteria)
  • Management and the board of directors evaluate and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance. (CC1.5 ¶ 2 Bullet 4 Considers Excessive Pressures, Trust Services Criteria, (includes March 2020 updates))
  • Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. (CC1.3 ¶ 3 Bullet 3 Defines, Assigns, and Limits Authorities and Responsibilities, Trust Services Criteria, (includes March 2020 updates))
  • Designate the individual or entity as an authorized representative; (§ 99.35(a)(3)(i), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The security manager must ensure a contact officer has been appointed to control the activities of exchange personnel, foreign liaison officers, and foreign visitors. (§ 3.1 ¶ AC31.045 Bullet V0007138, DISA Access Control STIG, Version 2, Release 3)
  • The Information Assurance Officer/Network Security Officer, for Network Intrusion Detection System data, will ensure reviewers are listed. (§ 4.5.3 (MED0320), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • The System Security Plan must identify all Information Assurance personnel. (DCSD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • A medical device manufacturer shall have sufficient personnel with the background, education, experience, and training necessary to ensure all required activities are being performed correctly. (§ 820.25(a), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • The criminal justice information services systems officer shall ensure an Information Security Officer is appointed and determine the extent of his or her authority. (§ 3.2.2(2)(c), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • A contracting government agency that enters into an agreement with a contractor shall appoint an agency coordinator. (§ 3.2.6, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The CSO is an individual located within the CSA responsible for the administration of the CJIS network for the CSA. Pursuant to the Bylaws for the CJIS Advisory Policy Board and Working Groups, the role of CSO shall not be outsourced. The CSO may delegate responsibilities to subordinate agencies. Th… (§ 3.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The response team includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution (e.g., management, legal, public relations, as well as information technology). (Domain 5: Assessment Factor: Resillience Planning and Strategy, PLANNING Baseline 1 ¶ 4, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Has appropriate staff (e.g., DBAs) that (App A Objective 3:6h, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • People and processes supporting the entity's missions and business functions. (App A Objective 14:2e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management has designated one or more individuals as an information security officer and determine appropriateness of the reporting line. (App A Objective 2.6, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The IT function at a financial institution is influenced by several other functions, which should include the following: - The human resources function should hire and maintain competent and motivated IT staff. - The IT audit function should validate appropriate controls to mitigate IT risk. - The c… (I.B.7 Other Functions, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Staffing levels sufficient to complete tasks as scheduled. (App A Objective 4:1 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine if the IT audit staff is adequate in number and is technically competent to accomplish its mission. Consider ▪ IT audit personnel qualifications and compare them to the job descriptions; ▪ Whether staff competency is commensurate with the technology in use at the institution; and ▪ T… (Exam Tier I Obj 4.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • Review turnover rates in IT staff and discuss staffing and retention issues with IT management. Identify root causes of any staffing or expertise shortages including compensation plans or other retention practices. (Exam Obj 3.6, FFIEC IT Examination Handbook - Management)
  • Operations management and human resources should ensure the proper staffing of roles through hiring, training, and advancement in the organization. (Pg 5, Pg 25, FFIEC IT Examination Handbook - Operations, July 2004)
  • The levels of skill and experience of key managers and staff, particularly in terms of the sophistication and complexity of the products, processes, and systems. (App A Tier 1 Objectives and Procedures Objective 1:3 Bullet 2 Sub-Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine if the quality of management and staff, and the staffing levels are adequate for the specific retail payment products and processes the institution provides. (App A Tier 1 Objectives and Procedures Objective 1:3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Mentions codes of conduct as an organization's method of ensuring ethical behavior and how an auditor should investigate it. (§ 240.43(a), GAO/PCIE Financial Audit Manual (FAM))
  • The organization requires an information security representative to be a member of the [FedRAMP Assignment: Configuration control board (CCB) or similar (as defined in CM-3)]. (CM-3(4) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Has the Credit Union implemented dual control duties for employees with access to or responsibilities for member information? (IT - 748 Compliance Q 6e, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Can the firewall be accessed by a secondary Information Technology committee or assigned staff member in an emergency? (IT - Firewalls Q 32, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the responsibility for patch management assigned to a specific person? (IT - Servers Q 6, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Lead and oversee budget, staffing, and contracting. (T0493, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Serve as an internal consultant and advisor in own area of expertise (e.g., technical, copyright, print media, electronic media). (T0536, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Apply expertise in policy and processes to facilitate the development, negotiation, and internal staffing of plans and/or memorandums of agreement. (T0571, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Personnel should be chosen to staff these teams based on their skills and knowledge. Ideally, teams are staffed with personnel responsible for the same or similar functions under normal conditions. For example, server recovery team members should include the server administrators. Team members must … (§ 3.4.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Lead and oversee budget, staffing, and contracting. (T0493, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Apply expertise in policy and processes to facilitate the development, negotiation, and internal staffing of plans and/or memorandums of agreement. (T0571, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Serve as an internal consultant and advisor in own area of expertise (e.g., technical, copyright, print media, electronic media). (T0536, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization requires an information security representative to be a member of the {organizationally documented configuration change control element}. (CM-3(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determin… (Bullet 6: Incident Response, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
  • Management should clearly state its commitment to employee competence. It should define areas of responsibilities, delegate authority, and support human resources policies for compensation, hiring, evaluating, training, and disciplining. (§ II.A, OMB Circular A-123, Management's Responsibility for Internal Control)
  • Provide security training, to include incident response training, to personnel assigned security duties upon hiring and annually thereafter. (Table 1: Personnel Training Enhanced Security Measures Cell 1, Pipeline Security Guidelines)