Back

Define and assign the Chief Information Officer's roles and responsibilities.


CONTROL ID
00808
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Head of IT (CIO) (Section 5.1 OIS-03 Basic requirement ¶ 1 Bullet 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The organization must ensure that a Chief Security Officer has been formally assigned. (§ 12.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The IT Head should determine the key business priorities on which the IT systems and processes depend. The impact of collective or individual component failures should be determined during the dependency modeling. This will allow the strategist to determine where the vulnerable weaknesses are in the… (§ 5.3 ¶ 2, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The Chief Information Officer (CIO) is responsible for how IT is used in the organization. His/her roles include understanding the organization's business requirements; developing IT partnerships with management for ensuring compliance, ensuring the IT strategy and business strategy are aligned, pro… (§ 7.2.3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The Information Technology Director should be responsible for ensuring personnel report suspected computer crimes; maintaining logs of individual accountability for all processing; maintaining back-up files; maintaining a log of system and application changes; and designing and implementing software… (Pg 12-II-37, Protection of Assets Manual, ASIS International)
  • Corporate ICT security officer. An organization should assign responsibility for ICT security to a specific individual. The corporate ICT security officer should act as the focus for all ICT security aspects within the organization; however, the corporate ICT security officer may delegate some aspec… (§ 5.1.3, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Corporate IT Security Policy. To ensure adequate support for all security related measures, the corporate IT security policy should be approved by top management. Based on the corporate IT security policy, a directive should be written, which is binding for all managers and employees. This may requi… (¶ 7.2, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • CMS business partners shall appoint a Chief Information Officer (CIO) to oversee CMS information security requirements compliance. CMS business partner's system security officer shall be a full-time position that is dedicated to assisting the CIO. (§ 1.1, CMS Business Partners Systems Security Manual, Rev. 10)
  • At a minimum, the chief information officer is responsible for developing and maintaining policies, procedures, and control techniques for information security; managing the identification, implementation, and assessment of security controls; ensuring the development of a risk analysis training prog… (§ 1.3, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • § 1.4 The Chief Information Officer (CIO) is responsible for: designating a Chief Information Security Officer who will carry out the CIO's system security planning responsibilities; developing and maintaining information security policies, procedures, and control techniques; managing the identific… (§ 1.4, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • The CIO is responsible for providing advice and assistance to the agency head and other senior management personnel to ensure information technology is acquired and managed appropriately; developing, maintaining, and facilitating implementation of a sound and integrated architecture; and promoting t… (§ 5125(b), § 5125(c), Clinger-Cohen Act (Information Technology Management Reform Act))
  • The CIO is responsible for providing advice and assistance to the agency head and other senior management personnel to ensure information technology is acquired and managed appropriately; developing, maintaining, and facilitating implementation of a sound and integrated architecture; and promoting t… (§ 5125(b), Clinger-Cohen Act (Information Technology Management Reform Act))
  • The agency head must delegate the authority for ensuring compliance with the requirements of Title 44, Chapter 35, Subchapter III to the Chief Information Officer. The Chief Information Officer must designate a senior agency information security officer; develop and maintain an information security … (§ 3544(a)(3), Federal Information Security Management Act of 2002, Deprecated)
  • The Chief Information Officer must approve the outsourcing or acquisition of dedicated Information Assurance services, such as incident monitoring, incident analysis, and Incident Response. (DCDS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The Chief Information Officer must approve the outsourcing or acquisition of the operation of Information Assurance devices, such as firewalls. (DCDS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The Chief Information Officer must approve the outsourcing or acquisition of key management services. (DCDS-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • An Information System Security Manager (ISSM) must be appointed and is responsible for developing, implementing, and evaluating the organization's security program; ensuring all personnel participate in security awareness and training; identifying and documenting threats and vulnerabilities unique t… (§ 8-101, § 8-103, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Defined roles and responsibilities for key IT positions, including executive management (CEO and COO, and often CIO or CTO), and CISO. (App A Objective 2:11 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • A defined and functioning role for the CIO or CTO to focus on strategic IT issues and the overall effectiveness of the IT function. (App A Objective 2:11 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The Chief Information Officer (CIO) should be responsible for the organization's IT systems. He/she should oversee the IT budget, the training program, the acquisition process, and strategic planning. He/she should typically be the head of the IT steering committee and should report directly to the … (Pg 6, FFIEC IT Examination Handbook - Management)
  • The Chief Information Officer (CIO) should be responsible for the organization's IT systems. He/she should oversee the IT budget, training program, acquisition process, and strategic planning. He/she should usually be the head of the IT steering committee and should report directly to the CEO. (Pg 6, Exam Obj 4.4, FFIEC IT Examination Handbook - Management)
  • The chief information officer is responsible for developing and maintaining an organization-wide information security program. The officer has responsibilities such as designating a senior security officer who carries out the CIO's responsibilities for system security planning. Aside from assigning … (§ 1.7.1, Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1)
  • The Chief Information Officer (CIO) should ensure the organization follows the sanitization guidelines listed in this document. (§ 3.2, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • The organization must appoint a senior management personnel to develop, coordinate, implement, and maintain the organization-wide security program. (SG.PM-3 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The chief information officer (CIO) is responsible for IT planning, budgeting, and performance. (§ 2.3, Risk Management Guide for Information Technology Systems, NIST SP 800-30, July 2002)