Back

Conduct cross-training or staff backup training to minimize dependency on critical individuals.


CONTROL ID
00786
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an education methodology., CC ID: 06671

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • There should be a procedure in place to reduce the reliance on a few key individuals. (Critical components of information security 11) c.19., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Minimise the exposure to critical dependency on key individuals through knowledge capture (documentation), knowledge sharing, succession planning and staff backup. (PO7.5 Dependence Upon Individuals, CobiT, Version 4.1)
  • Define and identify key IT personnel (e.g., replacements/backup personnel), and minimise reliance on a single individual performing a critical job function. (PO4.13 Key IT Personnel, CobiT, Version 4.1)
  • Cross-training employees to protect against the loss or absence of key staff is recommended. (Stage 2, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The risk of staff disrupting the running of business applications, computer systems, and networks either in error or by malicious intent should be reduced by minimizing reliance on key individuals (e.g., by automating processes, ensuring supporting documentation is complete and accurate, arranging a… (CF.02.05.07b, The Standard of Good Practice for Information Security)
  • The risk of staff disrupting the running of business applications, computer systems, and networks either in error or by malicious intent should be reduced by minimizing reliance on key individuals (e.g., by automating processes, ensuring supporting documentation is complete and accurate, arranging a… (CF.02.05.07b, The Standard of Good Practice for Information Security, 2013)
  • The Pandemic Response Plan leadership will be identified as a small team which will oversee the creation and updates of the plan. The leadership will also be responsible for developing internal expertise on the transmission of diseases and other areas such as second wave phenomenon to guide planning… (4.1, Pandemic Response Planning Policy)
  • The organization should train alternative personnel on the restoration process in case the primary person is not available. (Critical Control 8.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Evaluate the extent to which back-up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to systems, data, and facilities access. (TIER I OBJECTIVES AND PROCEDURES BCP - Security Issues Objective 7:5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The accessibility, rotation, and cross training of staff necessary to support critical business operations; (TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Validate personnel knowledge and skills, including backup responsibilities. (App A Objective 10:15a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • The organization should ensure employees are cross-trained and succession planning is implemented. (Pg D-8, Pg G-4, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should conduct cross-training to reduce the risk of not having personnel to fill critical positions. (Pg 12, FFIEC IT Examination Handbook - Management)
  • Cross-training should be used to improve skills, allow for better succession, and aid in dual control and rotation of duties. (Pg 25, FFIEC IT Examination Handbook - Operations, July 2004)
  • Is there a trained backup to the primary Wireless Local Area Network administrator? (IT - WLANS Q 5, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • (§ 3.8, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Personnel should be chosen to staff these teams based on their skills and knowledge. Ideally, teams are staffed with personnel responsible for the same or similar functions under normal conditions. For example, server recovery team members should include the server administrators. Team members must … (§ 3.4.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Bank management develop and maintain a plan to ensure that key employees and vendors have the expertise and skills to perform necessary functions and that they are properly trained. Management should allocate sufficient resources to hire and train employees and to ensure that adequate back-up exists… (¶ 36, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)