Back

Define and assign the Information Technology staff's roles and responsibilities.


CONTROL ID
00809
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number I.2.2(1): Top management must define the roles and responsibilities of the information system department and provide it with the appropriate authority and responsibility. This is a control item that constitutes a greater risk to financial information. This is a company-level IT c… (App 2-1 Item Number I.2.2(1), App 2-1 Item Number I.2.2(2), App 2-1 Item Number IV.1(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O4.2: The organization shall appoint system managers to perform system operation management and manage and maintain hardware and software. O6.2: The organization shall appoint network managers to manage the way(s) in which networks are operated and carry out access control and monitoring. O61.2(1):… (O4.2, O6.2, O61.2(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Each system must have a System Owner who is responsible for system operations. (Control: 1071, Australian Government Information Security Manual: Controls)
  • System owners should be a member of the senior executive service or an equivalent position. (Control: 1072, Australian Government Information Security Manual: Controls)
  • IT security-specific roles: IT security manager/officer, administrators, specialists; (¶ 27(i)(ii), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The Management Board must submit the operational and financial objectives and the parameters and strategies used to achieve the objectives to the Supervisory Board for approval. Each member of the Management Board can only be appointed for a maximum of 4 years and can only be reappointed for terms o… (¶ II.1.1, ¶ II.1.2, ¶ II.1.7, ¶ II.3.2, ¶ II.3.3, ¶ III.8.1 thru ¶ III.8.4, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • (§ 5.2.4, § 5.2.5, OGC ITIL: Security Management)
  • Management should continuously ensure the rating system is functioning correctly. Management should meet regularly to discuss the rating process, areas that need improving, and the status of correcting identified deficiencies. (¶ 439, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • The information systems manager is responsible for the implementation and operation of technical security measures designed to meet the security policy requirements. (Pg 12-IV-3, Protection of Assets Manual, ASIS International)
  • Individuals involved in implementing and maintaining business applications, information systems and networks should individuals involved in implementing and maintaining business applications, Information Systems and networks should be assigned clear responsibilities. (CF.02.05.05a, The Standard of Good Practice for Information Security)
  • Individuals involved in implementing and maintaining business applications, information systems and networks should be able to administer and use them correctly and deal with normal processing requirements. (CF.02.05.05b, The Standard of Good Practice for Information Security)
  • Individuals involved in implementing and maintaining business applications, computer systems and networks should be competent to deal with error, exception, and emergency conditions. (CF.02.05.05c, The Standard of Good Practice for Information Security)
  • Individuals involved in implementing and maintaining business applications, information systems and networks should individuals involved in implementing and maintaining business applications, Information Systems and networks should be assigned clear responsibilities. (CF.02.05.05a, The Standard of Good Practice for Information Security, 2013)
  • Individuals involved in implementing and maintaining business applications, information systems and networks should be able to administer and use them correctly and deal with normal processing requirements. (CF.02.05.05b, The Standard of Good Practice for Information Security, 2013)
  • Individuals involved in implementing and maintaining business applications, computer systems and networks should be competent to deal with error, exception, and emergency conditions. (CF.02.05.05c, The Standard of Good Practice for Information Security, 2013)
  • Define and implement cryptographic, encryption and key management roles and responsibilities. (CEK-02, Cloud Controls Matrix, v4.0)
  • Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Saf… (CIS Control 17: Safeguard 17.5 Assign Key Roles and Responsibilities, CIS Controls, V8)
  • Address the scope of use. Ensure that the scope of automation is overseen by the governing body and implemented by appropriately authorized and skilled people (see 6.3). The governing body should ensure that the requisite authority, responsibility and accountability are maintained and that the conse… (§ 5.5 ¶ 1 Bullet 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • IT operations personnel are responsible for designating employees for backup teams, recovery teams, and emergency response teams; providing employees home phone numbers and addresses; identifying time-critical operations and systems, critical resources, supplies, and critical data to be backed up of… (App A § 8.4, CMS Business Partners Systems Security Manual, Rev. 10)
  • The organization must define the responsibilities for monitoring use and make sure they are understood by technical management. (CSR 3.2.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Each SCI entity shall establish, maintain, and enforce reasonably designed written policies and procedures that include the criteria for identifying responsible SCI personnel, the designation and documentation of responsible SCI personnel, and escalation procedures to quickly inform responsible SCI … (§242.1001(c)(1), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • The criminal justice information services systems officer shall assume ultimate responsibility for managing the criminal justice information services systems. (§ 3.2.2(2)(g), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Architecture-related responsibilities: (App A Objective 2:9a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identification of necessary roles to support the EA function. (App A Objective 12:6c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Operating center responsibilities, including: (App A Objective 14:1f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • With respect to operating centers, describe the entity's operating center type and key responsibilities and determine whether functions such as security and network management are addressed. Evaluate the appropriateness of the entity's processes and controls, such as the following: (App A Objective 14:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Operations-related responsibilities: (App A Objective 2:9c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The board is responsible for overseeing, and senior management is responsible for implementing and maintaining, a safe and sound operating environment that supports the entity's goals and objectives and complies with applicable laws and regulations. Management should establish responsibility and acc… (II.A Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Defined roles and responsibilities for key IT positions, including executive management (CEO and COO, and often CIO or CTO), and CISO. (App A Objective 2:11 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review the roles and responsibilities of all levels of management, including executive management, CIO or CTO, CISO, IT line management, and IT business unit management, to ensure that there is a clear delineation between management and oversight functions and operational duties. (App A Objective 2:9, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Business line management should have ownership and accountability for testing the continuity plan and should ensure the continuity plan is updated when required. (Pg H-1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The IT line managers should supervise specific IT functions or departments; enforce policies, procedures, and controls in their respective departments; and report to the IT senior management on the plans and performance of their departments. (Pg 7, FFIEC IT Examination Handbook - Management)
  • Operations management should ensure the organization has the proper staffing, system capacity, system availability, and storage capacity needed to achieve the organization's strategic goals. It should maintain an inventory of all assets; select and recommend technology solutions; understand how syst… (Pg 4, Pg 5, FFIEC IT Examination Handbook - Operations, July 2004)
  • Obtain and review the financial institution's policies and procedures for RDC. Assess whether they define the function, responsibilities, operational controls, vendor management, customer due diligence, BSA/AML compliance monitoring, and reporting functions, etc. Identify the date they were last rev… (App A Tier 2 Objectives and Procedures N.9 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • § 4.3.1 Bullet 1: Implement a procedure specifying who can manage personnel who work with ePHI or in a location where it might be accessed. 4.3.2 Bullet 2: Assign the appropriate level of security oversight. (§ 4.3.1 Bullet 1, § 4.3.2 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Act as a liaison to the information systems department (T0879, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Act as a liaison to the information systems department (T0879, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • System and information owners are responsible for ensuring that proper controls have been implemented on the systems and data they own; for any changes to their systems; and for approving and signing off on changes. (§ 2.3, Risk Management Guide for Information Technology Systems, NIST SP 800-30, July 2002)
  • accepting complaints and communications from data subjects, providing explanations and adopting measures; (Art. 41 § 2 I, Brazilian Law No. 13709, of August 14, 2018)