Back

Establish, implement, and maintain high level operational roles and responsibilities.


CONTROL ID
00806
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Human Resources management, CC ID: 00763

This Control has the following implementation support Control(s):
  • Define and assign the head of Information Security's roles and responsibilities., CC ID: 06091
  • Establish, implement, and maintain a security operations center., CC ID: 14762
  • Designate an alternate for each organizational leader., CC ID: 12053
  • Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program., CC ID: 13112
  • Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures., CC ID: 00807
  • Define and assign board committees, as necessary., CC ID: 14787
  • Define and assign the Chief Information Officer's roles and responsibilities., CC ID: 00808
  • Define and assign the Information Technology staff's roles and responsibilities., CC ID: 00809
  • Define and assign the business unit manager's roles and responsibilities., CC ID: 00810
  • Define and assign the Facility Security Officer's roles and responsibilities., CC ID: 01887
  • Define and assign the Chief Risk Officer's roles and responsibilities., CC ID: 14333
  • Define and assign roles and responsibilities for network management., CC ID: 13128
  • Define and assign the technology security leader's roles and responsibilities., CC ID: 01897
  • Define and assign the security staff roles and responsibilities., CC ID: 11750
  • Define and assign the authorized representatives roles and responsibilities., CC ID: 15033
  • Define and assign the property management leader's roles and responsibilities., CC ID: 00669
  • Define and assign the Archives and Records Management oversight's roles and responsibilities., CC ID: 00697
  • Define and assign the Privacy Officer's roles and responsibilities., CC ID: 00714
  • Define and assign critical facility management personnel's roles and responsibilities., CC ID: 06381
  • Define the objectives and extent of outsourcing operational roles and responsibilities., CC ID: 06383
  • Define and assign the Chief Security Officer's roles and responsibilities., CC ID: 06431
  • Establish and maintain an Information Technology steering committee., CC ID: 12706
  • Assign a contact person to all business units., CC ID: 07144
  • Define and assign the assessment team's roles and responsibilities., CC ID: 08890
  • Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff., CC ID: 12299


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The chairperson should be an independent, non-executive director and should not be the Chief Executive Officer. If the chairperson and the Chief Executive Officer positions are combined, the organization should have an independent, non-executive director as deputy chairperson or a majority of indepe… (¶ 2.3.1 thru ¶ 2.3.4, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • Standard § I.1 ¶ 4: Everyone in the organization must take actions to ensure the roles and functions of the internal controls are effectively achieved. Standard § I.2(4).1: Everyone in the organization must identify the required information to carry out their responsibilities, understand the cont… (Standard § I.1 ¶ 4, Standard § I.2(4).1, Standard § I.4(5), Practice Standard § I.2(3), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • O25.3(1): The organization shall designate an individual in charge and develop methods to transfer, remove, and destroy data files. O39: For the computer center and head and branch offices, the organization shall designate administrators to control operator cards. Operator cards are used to identify… (O25.3(1), O39, O50.4, O51.2, O51.5(4), O60.1(2), O90, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The CEO/CFO must certify to the Board of Directors that he/she has reviewed the financial statements and there are no omissions of fact, untrue statements, or fraudulent or illegal transactions to the best of his/her knowledge. (§ V, Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
  • For an institution incorporated or established outside Singapore, the functions of the board described in paragraph 5.2.2 may be delegated to and performed by a management committee or body beyond local management that is charged to functionally oversee and supervise the local office (e.g., a region… (5.2.5, Guidelines on Outsourcing)
  • Service providers should provide a single individual who will act as an equivalent to an information technology security manager. (Control: 0744, Australian Government Information Security Manual: Controls)
  • The accreditation authority must be the Defence Signals Directorate for top secret systems. (Control: 1230, Australian Government Information Security Manual: Controls)
  • The system owner must approve the system architecture and the information security documentation before conducting an audit. (Control: 0797, Australian Government Information Security Manual: Controls)
  • The Key Management Plan should include a description of the administrative responsibilities for the cryptographic system. (Control: 0510 Table Row "System description", Australian Government Information Security Manual: Controls)
  • The information technology security Risk Management Framework should have a designated owner(s). (¶ 25, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The information technology security risk framework should outline the roles and responsibilities of the staff. (¶ 25, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The roles and responsibilities for maintaining system security should be clearly defined by the organization. The organization should provide guidance to users on their security responsibilities and the consequences for not complying with the requirements. The guidance should tell users they can onl… (§ 2.6.15, § 2.8.4, Australian Government ICT Security Manual (ACSI 33))
  • The information commissioner must be satisfied that the privacy code identifies an adjudicator or another person as the person responsible for the requirements that relate to the annual report, before approving a privacy code that includes procedures for making and dealing with complaints. (§ 18BB(3)(l), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The chief executive function or chief financial officer function must state in writing to the directors that the financial records have been properly maintained, the financial statements comply with accounting standards, and the financial statements give a fair and true view of the organization. The… (Sched 2 ¶ 2, Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004)
  • the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; (4.7 42(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • The Management Board is responsible for managing the organization, developing and implementing a business strategy, ensuring all laws and policies are abided by, and ensuring the organization has a risk management program. The Management Board must consist of several individuals and a designated cha… (¶ 4.1.1 thru ¶ 4.1.4, ¶ 4.2.1, ¶ 4.3.4, ¶ 5.1.2, ¶ 5.4.5, German Corporate Governance Code ("The Code"), June 6, 2008)
  • A data protection officer in charge of data processing will be assigned by the Board of Directors of the Center. This individual will be familiar with personal data protection and management. The duties of the data protection officer will be decided by the King. Staff members who process personal da… (Art 3.6, Belgian Law of 8 December 1992 on the protection of privacy in relation to the processing of persona, Unofficial English Translation November 2008)
  • The responsibilities of the chair of the Board of Directors include organizing and leading the work of the Board; ensuring the Board receives regular updates on how the organization is operating; being the spokesperson for the organization on senior management and the managing director's employment … (¶ III.3.4.4, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • The accounting officer has overall responsibility to ensure information risks have been assessed and mitigated to an acceptable level. The Senior Information Risk Owner must support the accounting officer and the Senior Information Risk Owner can delegate the day-to-day duties to the departmental Se… (Security Policy No. 4 ¶ 7, HMG Security Policy Framework, Version 6.0 May 2011)
  • The accounting officer must have overall responsibility to ensure information risks have been assessed and mitigated to an acceptable level. (Security Policy No. 4 ¶ 7, HMG Security Policy Framework, Version 6.0 May 2011)
  • The security officer must refer to this framework when developing counter-terrorist policies and plans, but needs to ensure all staff members are adequately protected and personal protection arrangements are implemented for high-threat personnel. (Security Policy No. 6 ¶ 12.b, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must designate a senior information risk owner. this individual must be at the board level and manages information risks, including maintaining and reviewing the information risk register. this role can be combined with other roles. (Mandatory Requirement 35.a, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must designate a lead accreditor. This individual must ensure the accreditation program meets the applicable standards. (Mandatory Requirement 35.b, HMG Security Policy Framework, Version 6.0 May 2011)
  • If the organization handles cryptographic material, it must designate a communications security officer. (Mandatory Requirement 35.d, HMG Security Policy Framework, Version 6.0 May 2011)
  • The contracting authority or MOD DE&S Sy/PSyA should appoint a security adviser to review site management procedures and structures and provide advice on required improvements to the site infrastructure, documentation, and processes for the facility to meet the standard by the security policy framew… (¶ 16, Industrial Security - Departmental Responsibilities, Version 5.0 October 2010)
  • The positions of chairperson and chief executive should not be filled by the same individual. The responsibilities of each position should be clearly written and agreed upon by the Board. The chairperson should be independent. The chief executive should not be promoted to chairperson of the organiza… (§ A.2.1, § A.2.2, Financial Reporting Council, Combined Code on Corporate Governance, June 2008)
  • Senior management should be responsible for implementing the risk management framework approved by the Board of Directors. All staff members should understand their risk management responsibilities. (Principle 3, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • Are the roles and responsibilities of business towards security defined? (Table Row I.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Who is responsible for keeping records of cyber intrusions, costs of remediation, response time, and documenting procedures and processes? (Table Row I.15, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Who determines if systems are properly configured according to the architecture? (Table Row I.21, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization assign responsibility for each security policy and procedure? (Table Row II.5, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Who is responsible for the adequacy of policies, procedures, and standards that govern security requirements for outsourced service providers, customers, and business associates? (Table Row II.42, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Who is responsible for keeping records of cyber-intrusions, cost of remediation, etc.? (Table Row VII.15, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are authorized personnel responsible for evidentiary data workflow management (e.g., journaling, audit trails, etc.) and completion of internal and external network incident reports, suspicious activity reports, regulatory reports, and other reports? (Table Row XII.22, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The organization should have written job descriptions for staff that address requirements pertinent to the scope of the positions' roles and responsibilities regarding required education, training, and/or professional experience. (CORE - 25(a), URAC Health Utilization Management Standards, Version 6)
  • The organization should have written job descriptions for staff that address requirements pertinent to the scope of the positions' roles and responsibilities regarding expected professional competencies. (CORE - 25(b), URAC Health Utilization Management Standards, Version 6)
  • The organization should have written job descriptions for staff that address requirements pertinent to the scope of the positions' roles and responsibilities regarding current scope of roles and responsibilities. (CORE - 25(d), URAC Health Utilization Management Standards, Version 6)
  • A senior clinical staff person must be responsible for oversight of clinical decision-making aspects of the program. (CORE - 32(b), URAC Health Utilization Management Standards, Version 6)
  • A senior clinical staff person must ensure the organizational objective to have qualified clinicians accountable to the organization for decisions affecting consumers. (CORE - 32(d), URAC Health Utilization Management Standards, Version 6)
  • Establish a project management approach commensurate with the size, complexity and regulatory requirements of each project. The project governance structure can include the roles, responsibilities and accountabilities of the programme sponsor, project sponsors, steering committee, project office and… (PO10.3 Project Management Approach, CobiT, Version 4.1)
  • Verify that information security policies clearly define information security responsibilities for both employees and contractors. (§ 12.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 2.0)
  • Verify that information security policies clearly define information security responsibilities for both employees and contractors. (§ 12.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
  • Verify that Information Security policies clearly define Information Security responsibilities for employees and contractors. (§ 12.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify that information security policies clearly define information security responsibilities for both employees and contractors. (§ 12.4, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • The organization must ensure the security policy has clearly defined the security responsibilities of all contractors and employees. (§ 12.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that information security policies clearly define information security responsibilities for both employees and contractors. (§ 12.4 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Is the information security management responsibilities for establishing, documenting, and distributing security policies and procedures formally assigned to an individual or a team? (PCI DSS Question 12.5.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is the information security management responsibilities for establishing, documenting, and distributing security policies and procedures formally assigned to an individual or a team? (PCI DSS Question 12.5.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Roles, responsibilities, authorities, and competencies for business continuity management must be defined and documented. (§ 3.2.3.2, BS 25999-2, Business continuity management. Specification, 2007)
  • The executive should appoint someone to manage the BCM program, define the scope of the program and monitor performance of management of the program. The BCM team should develop a BCM planning process and the program (in keeping with the executive's established scope), determine how to approach each… (Pg 13 BCM Managing The Program, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • Specific roles have emerged for IT risk and control. For smaller organizations, individuals may perform multiple roles, but care should be taken to ensure separation of duties is not compromised. When IT is outsourced, many of these roles are still required to be in-house in order to provide oversig… (§ 7.2, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The organization must implement an effective privacy program that includes roles and responsibilities. (§ 2.2 (Privacy Controls) ¶ 2, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The organization must understand the roles and responsibilities of the personnel who manage the control environment and maintain the controls. Management often assumes controls are the responsibility of the IT department, because many of them are automated or perform IT functions. Data owners and bu… (§ 4.1.1 ¶ 2, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • The organization must define, document, and communicate responsibilities, roles, and authorities. (§ 4.4.1 ¶ 2, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • A manager should be designated to be responsible for the development of the lock program. The employee who is traveling internationally should take the necessary action to protect the company and themselves; report any losses or incidents; assess and report events that may cause the level of risk to… (Pg 4-II-6, Pg 23-VI-4, Revised Volume 1 Pg 8-II-30, Protection of Assets Manual, ASIS International)
  • A method should be established for defining roles and responsibilities for patch management. (CF.10.01.03a, The Standard of Good Practice for Information Security)
  • The information security policy should require that owners (typically the people in charge of business processes that are dependent on information and systems) are appointed for all critical information. (CF.01.01.03b-1, The Standard of Good Practice for Information Security)
  • The information security policy should require that owners (typically the people in charge of business processes that are dependent on information and systems) are appointed for all critical systems. (CF.01.01.03b-2, The Standard of Good Practice for Information Security)
  • The security awareness program should be assigned as the responsibility of a particular individual, Organizational Unit, working group or committee. (CF.02.02.01b, The Standard of Good Practice for Information Security)
  • Responsibilities of owners should include determining business (including Information Security) requirements. (CF.02.05.02b, The Standard of Good Practice for Information Security)
  • Responsibilities of owners should include ensuring information, business applications, Information Systems and networks are protected in line with their importance to the organization. (CF.02.05.02c, The Standard of Good Practice for Information Security)
  • Responsibilities of owners should include authorizing new or significantly changed business applications, Information Systems, and networks. (CF.02.05.02f, The Standard of Good Practice for Information Security)
  • Responsibilities of owners should include contributing to security audits. (CF.02.05.02g, The Standard of Good Practice for Information Security)
  • The information security policy should define associated responsibilities. (CF.01.01.02-2, The Standard of Good Practice for Information Security)
  • The information security policy should require that owners (typically the people in charge of business processes that are dependent on information and systems) are appointed for all critical information. (CF.01.01.03b-1, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should require that owners (typically the people in charge of business processes that are dependent on information and systems) are appointed for all critical systems. (CF.01.01.03b-2, The Standard of Good Practice for Information Security, 2013)
  • The security awareness program should be assigned as the responsibility of a particular individual, Organizational Unit, working group or committee. (CF.02.02.01b, The Standard of Good Practice for Information Security, 2013)
  • Responsibilities of owners should include determining business (including Information Security) requirements. (CF.02.05.02b, The Standard of Good Practice for Information Security, 2013)
  • Responsibilities of owners should include ensuring information, business applications, Information Systems and networks are protected in line with their importance to the organization. (CF.02.05.02c, The Standard of Good Practice for Information Security, 2013)
  • Responsibilities of owners should include authorizing new or significantly changed business applications, Information Systems, and networks. (CF.02.05.02f, The Standard of Good Practice for Information Security, 2013)
  • Responsibilities of owners should include contributing to security audits. (CF.02.05.02g, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should define associated responsibilities. (CF.01.01.02-2, The Standard of Good Practice for Information Security, 2013)
  • § 5.1.2 ICT security forum. An organization should establish a forum that involves people with the necessary skills to advise on and recommend strategies, identify requirements, formulate policies, draw up the security program, review achievements and direct the corporate ICT security officer. Ther… (§ 5.1.2, § 5.1.3,§ 5.1.4, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • ¶ 8.1.1(3)(4) IT Security Management and Policies. An organization should implement safeguards is to achieve an appropriate and consistent level of security throughout an organization. This safeguard category contains all those safeguards dealing with the management of IT security, the planning of … (¶ 8.1.1(3)(4), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • ¶ 7.2 Identification Process. A recommended process for the identification and analysis of the communications related factors that should be taken into account to establish network security requirements, and the provision of an indication of the potential safeguard areas. When considering network c… (¶ 7.2, ¶ 13.2, ¶ 13.2.1, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. (§ 5.3 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall designate the responsibility and authority for originating, generating, capturing, archiving, and disposing of information. (§ 6.3.6.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Roles should be defined and assigned. Personnel who are allowed to manage system functions should be designated to specific roles, such as Administrator or Auditor. Personnel holding titles allowed to manage system functions should be able to disable or enable security functions, modify security fun… (§ 13.1 thru § 13.3, § 13.7, § H.1 thru § H.3, § H.7, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • All staff members are responsible for creating, receiving, keeping, and disposing of records in accordance with the established policies, procedures, and standards. (§ 2.3.2 ¶ 1(e), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • A manager at a suitable level should be assigned responsibility for implementing and managing the records management training program. (§ 6.2 ¶ 1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The service provider shall implement and operate the service management system by assigning the authorities, responsibilities, and process roles. (§ 4.5.3 ¶ 1(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • All major assets and configurations should be accounted for and have a responsible manager who ensures that appropriate protection and control is maintained, e.g. changes are authorized before implementation. Responsibility for implementing controls may be delegated but accountability should remain … (§ 9.1.1, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. (§ 5.4 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Functions and roles for maintaining security should be established by the service provider and the outsourced service provider. These functions and roles should include appointing specific staff, appointing deputies for critical roles and functions, training all appointed staff before they are assig… (§ 6.3.9, § 7.5.8, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • General and specific responsibilities for information security management should be included in the information security policy. Representatives from different parts of the organization should be involved in the coordination of information security. Personnel who should be involved include managers,… (§ 5.1.1, § 6.1.2, § 8.1.1, ISO 27002 Code of practice for information security management, 2005)
  • The organization should implement the risk management framework by: - developing an appropriate plan including time and resources; - identifying where, when and how different types of decisions are made across the organization, and by whom; - modifying the applicable decision-making processes wher… (§ 5.5 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • The organization should define monitoring and review responsibilities. (§ 5.6 ¶ 2, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. (Section 5.3 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the responsibilities and authorities within the organization for managing the situations involving mixed responsibilities; and (Section 8.8 ¶ 3(c), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Legal counsel must supervise the collection and preservation efforts of their clients. (Comment 6.f ¶ 1, The Sedona Principles Addressing Electronic Document Production)
  • Legal counsel must supervise the manual collection procedures and the automated collection procedures to assure they comply with the discovery obligations. (Comment 11.c ¶ 1, The Sedona Principles Addressing Electronic Document Production)
  • Adopt international R&D blueprint guidance and WHO protocols for special studies (companionate use, Monitored Emergency Use of Unregistered and Investigational Interventions) to investigate additional epidemiological, virologic, and clinical characteristics; designate a clinical trial or study spons… (Pillar 7 Step 3 Action 2, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • One or more individuals must be appointed by the organization to be accountable for the organization complying with the principles of this Act. The organization is responsible for all personal information that is under its control. The identity of the designated individual(s) must be made known upon… (Sched 1 Prin. 4.1, Sched 1 Prin. 4.1.1, Sched 1 Prin. 4.1.2, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • The head of the public entity must appoint an individual to be in charge of the personal data systems who must: comply with the policies and guidelines and the rules for processing, handling, protecting, and the safety of personal data; take required security measures to protect personal data and re… (Art 21, The Personal Data Protection Law for the Federal District (Mexico City))
  • The entity's security policies include assigning responsibility and accountability for system security. (Security Prin. and Criteria Table § 1.2 f, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's security policies include assigning responsibility and accountability for system changes and maintenance. (Security Prin. and Criteria Table § 1.2 g, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system availability and related security policies include assigning responsibility and accountability for system availability and related security. (Availability Prin. and Criteria Table § 1.2 f, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system availability and related security policies include assigning responsibility and accountability for system changes and maintenance. (Availability Prin. and Criteria Table § 1.2 g, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system processing integrity and related security policies include assigning responsibility and accountability for system processing integrity and related security. (Processing Integrity Prin. and Criteria Table § 1.2 f, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system processing integrity and related security policies include assigning responsibility and accountability for system changes and maintenance. (Processing Integrity Prin. and Criteria Table § 1.2 g, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's policies related to the system's protection of confidential information and security include assigning responsibility and accountability for system availability and related security. (Confidentiality Prin. and Criteria Table § 1.2 f, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's policies related to the system's protection of confidential information and security include assigning responsibility and accountability for system changes and maintenance. (Confidentiality Prin. and Criteria Table § 1.2 g, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The collection methods and changes to the methods should be reviewed by management, legal counsel, and the Privacy Officer. (Table Ref 4.2.2, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The security program, in relation to protecting personal information, should include assigning responsibility and accountability for system changes and maintenance. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities. (CC1.3 Addresses Specific Requirements When Defining Authorities and Responsibilities, Trust Services Criteria)
  • Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities. (CC1.3 ¶ 4 Bullet 1 Addresses Specific Requirements When Defining Authorities and Responsibilities, Trust Services Criteria, (includes March 2020 updates))
  • The organization must develop roles and responsibilities. (PE 5, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • An entity seeking to contract as a Medicare Advantage (MA) organization must adopt and implement an effective compliance program that includes measures for preventing, detecting, and correcting noncompliance with the Centers for Medicare & Medicaid Services' (CMS') program requirements and measures … (§ 422.503(b)(4)(vi)(B), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • CSR 1.5.6: The organization must designate specific employees to be responsible to secure removable storage devices and media that contain sensitive information. CSR 3.2.1: The organization must clearly define the responsibilities for using sensitive system utilities and make sure they are understoo… (CSR 1.5.6, CSR 3.2.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • One or more Airport Security Coordinators (ASC) must be appointed for each airport. The ASC will serve as the primary contact for security-related communications and activities for the Transportation Security Administration (TSA); be available to the TSA 24 hours a day; frequently review all securit… (§ 1542.3, 49 CFR Part 1542, Airport Security)
  • A Bank Secrecy Act (BSA) compliance officer should be designated. The compliance officer should have the day-to-day responsibility for ensuring compliance with all BSA regulations. (Pg 6, Obj 2 (Personnel), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Evaluate the qualifications of the Bank Secrecy Act (BSA) compliance officer. (Pg 6, Obj 2 (Personnel), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • A Top Secret control officer must be designated. His/her responsibilities include receiving, transmitting, and maintaining records for Top Secret information. (§ 5-201, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • A security official shall be identified who is responsible for developing and implementing the required policies and procedures. (§ 164.308(a)(2), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Employees and contractors are responsible for the following: participating in developing policy or initiating OPDIV RM policy; responding to annual policy review process comments in a timely manner; following the HHS Records Management Policies; working with the Records Officer; asking the Records O… (Ch 10 (Responsibilities of All HHS Staff), Department of Health and Human Services Records Management Procedures Manual, Version 1.0 Final Draft)
  • The agency coordinator shall be responsible for scheduling initial training and testing, the training and continuing education of employees and operators, the supervision and integrity of the system, and certification testing and the required reports by national crime information center. (§ 3.2.7, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency coordinator shall participate in meetings and provide input and comments for system improvement. (§ 3.2.7(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Each party state shall appoint a compact officer who shall verify that the compact council's provisions, rules, procedures, and standards are being complied with in his or her state. (§ 3.2.12, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Participate in related meetings and provide input and comments for system improvement. (§ 3.2.7 ¶ 1(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Clearly defines the authority, responsibility, and technical skills required. (App A Objective 5:3 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether ▪ A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; ▪ Existing controls comp… (Exam Tier II Obj D.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • (Obj 1.9, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • An employee or employees should be designated to coordinate the information security program. (§ 314.4(a), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule)
  • Do policies assign specific staff positions responsibility for developing policy, procedures, implementing corrective action, monitoring compliance, and providing recommended updates? (IT - General Q 3, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the security awareness program promoted by an Information Security Officer, Information Security group, or other similar individual? (IT - Security Program Q 20a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the written website operating policy include the assignment of an employee to be responsible for monitoring the website? (IT - Web Site Review Q 1d, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has responsibility been assigned to Credit Union personnel for reviewing and acting on the website applications? (IT - Web Site Review Q 13, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Establish a Data Integrity Board to: (PM-24 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • The organization should designate an individual to be responsible for tracking WLAN security vulnerabilities and wireless security trends. (Table 8-5 Item 57, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • The following authorized operator roles shall be supported by the cryptographic module: user role (performs general security services), crypto officer role (performs initialization or management functions), and maintenance role (performs physical and/or logical maintenance). Before entering or exiti… (§ 4.3.1, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established. (ID.AM-6, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • The access control policy should be examined to ensure it addresses the roles and responsibilities of all personnel involved in access control by assigning specific responsibilities and defining actions to take. Organizational records and documents should be examined to ensure personnel with informa… (AC-1.2, AC-1.4, AT-3.1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should appoint an individual to track new threats and vulnerabilities and new Bluetooth technology enhancements and standards to ensure Bluetooth devices continue to be secure. (Table 4-2 Item 31, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • § 6.1(Consider designating an individual) The organization should designate an individual to monitor advancements in IEEE 802.11 security standards and features and to monitor newly identified vulnerabilities and threats. § 6.1(Roles and responsibilities) The wireless security policy should desig… (§ 6.1(Consider designating an individual), § 6.1(Roles and responsibilities), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • Information users should know and understand the confidentiality of the information they are using and how to properly handle that information. (§ 3.10, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • Organizational policy should define the roles and responsibilities for training. (§ 4.1.2 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must establish roles and responsibilities for approving cyber security policy, coordinating cyber security throughout the organization, and assigning security roles. (SG.PM-8 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system's design and implementation must specify the security roles and responsibilities of the users. (SG.SC-19 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should not assign responsibility for developing the Configuration Management process to personnel directly involved in system development. (App F § CM-9(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must identify individuals who have Information Security roles and responsibilities. (App F § SA-3.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Serve on agency and interagency policy boards. (T0226, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Security awareness trainers are responsible for training system and application users. The trainers must understand the risk management process in order to develop the training materials and to incorporate risk assessment into the training programs. (§ 2.3, Risk Management Guide for Information Technology Systems, NIST SP 800-30, July 2002)
  • The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development. (CM-9(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization defines and documents government oversight and user roles and responsibilities with regard to external information system services. (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization defines and documents government oversight and user roles and responsibilities with regard to external information system services. (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization defines and documents government oversight and user roles and responsibilities with regard to external information system services. (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization defines and documents government oversight and user roles and responsibilities with regard to external information system services. (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Establishes a Data Integrity Board when appropriate to oversee organizational Computer Matching Agreements and to ensure that those agreements comply with the computer matching provisions of the Privacy Act. (DI-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Establish a Data Integrity Board to: (PM-24 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • The Senior Assessment Team should be responsible for the following: communicating objectives throughout the organization; determining the assessment scope; determining the assessment methodology; making funds and resources available for the assessment; assigning personnel and contractors to conduct … (Pg 7, Pg 8, Pg 21, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • Management should monitor and measure the performance of technology-related products, services, delivery channels, and processes in order to avoid potential operational failures and to mitigate the damage that may arise if such failures occur. Established controls should identify and manage risks so… (¶ 42, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)