Back

Define and assign the business unit manager's roles and responsibilities.


CONTROL ID
00810
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The System Manager should be responsible for developing, maintaining, and implementing the risk management document, the system security policy, and the security standard operating procedures; ensuring security procedures are followed; obtaining and maintaining system accreditation; and being famili… (§ 2.1.20 thru § 2.1.23, § 2.4.4, § 2.5.6, § 2.6.5, § 2.6.7, § 2.6.11, Australian Government ICT Security Manual (ACSI 33))
  • Do managers at each level of the organization understand their roles and responsibilities with respect to Information Security? (Table Row II.11, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization: – Board of Directors — Retains authority over significant decision… (§ 3 Principle 3 Points of Focus:Defines, Assigns, and Limits Authorities and Responsibilities, COSO Internal Control - Integrated Framework (2013))
  • Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside. (§ 3 Principle 12 Points of Focus: Establishes Responsibility and Accountability for Executing Policies and Procedures, COSO Internal Control - Integrated Framework (2013))
  • The business manager should ensure all employees traveling internationally are aware of the security requirements; assist employees in meeting the security requirements; assess communications requirements; and assess the requirements for protecting confidential information. (Pg 23-VI-4, Protection of Assets Manual, ASIS International)
  • Business unit leader should be assigned the responsibility for Information Security. (CF.12.02.01, The Standard of Good Practice for Information Security)
  • Business unit leader should be assigned the responsibility for Information Security. (CF.12.02.01, The Standard of Good Practice for Information Security, 2013)
  • Business unit managers are responsible for ensuring their employees create and keep records in accordance with the established policies, procedures, and standards. (§ 2.3.2 ¶ 1(c), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The responsibility for authorizing the destruction or disposition action for records that are removed from the immediate physical environment of the business unit to another physical area that is controlled by the organization is still with that business unit. (§ 4.3.9.2 ¶ 1, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside. (CC5.3 ¶ 2 Bullet 2 Establishes Responsibility and Accountability for Executing Policies and Procedures, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside. (CC5.3 Establishes Responsibility and Accountability for Executing Policies and Procedures, Trust Services Criteria)
  • Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside. (CC5.3 ¶ 2 Bullet 2 Establishes Responsibility and Accountability for Executing Policies and Procedures, Trust Services Criteria, (includes March 2020 updates))
  • Business owners of business partner systems shall determine and document the information and information system security levels and identify security level categorizations for the information and information systems. (§ 2.1, CMS Business Partners Systems Security Manual, Rev. 10)
  • At a minimum, the business owner is responsible for developing and maintaining the risk assessment; ensuring the system is operating according to the security requirements; updating the risk assessment; assisting in identifying, implementing, and assessing security controls; and developing the syste… (§ 1.3, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • The Business Owner is responsible for: developing and maintaining the system security plan; ensuring the system is deployed and operated in accordance with the requirements; updating the system security plan; assisting in identifying, implementing, and assessing security controls; establishing rules… (§ 1.4, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • Review the roles and responsibilities of all levels of management, including executive management, CIO or CTO, CISO, IT line management, and IT business unit management, to ensure that there is a clear delineation between management and oversight functions and operational duties. (App A Objective 2:9, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Business unit managers should communicate business needs and strategies; develop development plans and communicate them to management; test compliance of controls in their business line; back up required resources; and ensure the business line participates in the testing process. (Pg 7, FFIEC IT Examination Handbook - Management)
  • The information system owner should ensure agreements are in place to protect the confidentiality of the system's media and information. (§ 3.3, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • Business and functional managers are responsible for taking an active role in the risk management process; making trade-off decisions; and achieving proper security for the systems. (§ 2.3, Risk Management Guide for Information Technology Systems, NIST SP 800-30, July 2002)