Back

Assign resources to implement the internal control framework.


CONTROL ID
00816
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

This Control has the following implementation support Control(s):
  • Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework., CC ID: 07146


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • While AIs are expected to take into account the general guidance specified in SA-2 “Outsourcing” when managing technology outsourcing, they should also have regard to the following controls: - technology service providers should have sufficient resources and expertise to comply with the substanc… (7.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • App 2-1 Item Number I.1.1(2): The organization must establish the principles on which investments in computerization and computerization plans are determined to develop and define a coherent overall optimization plan. This is a control item that constitutes a greater risk to financial information. T… (App 2-1 Item Number I.1.1(2), App 2-1 Item Number I.1.3(3), App 2-1 Item Number I.1.3(4), App 2-1 Item Number I.1.3(7), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Information resources must be managed in accordance with the security policy and protection must be provided as required by the integrity, confidentiality, and availability of the information. (O1.4(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Organizing, training and equipping teams to respond to information security incidents (Critical components of information security 10) (ii) g., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The Do phase involves implementing and operating the controls. (Critical components of information security 27) (b) Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks should form a separate information security function/group to focus exclusively on information security management. There should be segregation of the duties of the Security Officer/Group dealing exclusively with information systems security and the Information Technology Division which actual… (Information security team/function ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The organization should use the Security Risk Assessment results to determine the balance of resources to allocate to prevention of cyber security incidents instead of detection of cyber security incidents. (Control: 0121, Australian Government Information Security Manual: Controls)
  • In discharging its responsibility for information security, an APRA-regulated entity would typically assess the sufficiency of its information security capability. This could include reviewing the adequacy of resourcing, including funding and staffing, timely access to necessary skill sets and the c… (15., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • information security capability — consider the sufficiency of the regulated entity's information security capability in relation to vulnerabilities and threats; ensure sufficiency of investment to support the information security capability; and review progress with respect to execution of the inf… (8(b)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Each Member State shall adopt a national cybersecurity strategy that provides for the strategic objectives, the resources required to achieve those objectives, and appropriate policy and regulatory measures, with a view to achieving and maintaining a high level of cybersecurity. The national cyberse… (Article 7 1., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Member States shall ensure that their competent authorities and single points of contact have adequate resources to carry out, in an effective and efficient manner, the tasks assigned to them and thereby to fulfil the objectives of this Directive. (Article 8 5., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge. (Art. 38.2., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Data reporting service providers shall additionally maintain adequate resources and have back-up and restoration facilities in place in order to offer and maintain their services at all times. (Art. 12.3. ¶ 3, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Financial entities, other than microenterprises, shall ensure that tests are undertaken by independent parties, whether internal or external. Where tests are undertaken by an internal tester, financial entities shall dedicate sufficient resources and ensure that conflicts of interest are avoided thr… (Art. 24.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Frequently, only technical solutions are associated with IT security. However, this is too shortsighted. This is another reason for better using the term information security instead of IT security. First and foremost, it is important to emphasise that investing in human resources is often more effe… (§ 5 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • A prerequisite for secure IT operations is a company that functions well. Sufficient resources must therefore be made available for operations. Typical problems encountered during IT operations (scarce resources, overburdened administrators, or an unstructured and poorly maintained IT environment) m… (§ 5 ¶ 4, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Planning and executing a security process includes defining organisational structures (e.g. departments, groups, centres of expertise) as well as roles and duties. There are different options for organising the structure of information security management. In this, staff arrangements depend on the s… (§ 7.2 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Maintaining a particular level of security always requires financial, personnel, and time-related resources that must be made available in sufficient quantities by the management level. If set objectives cannot be achieved due to a lack of resources, it is not the fault of the persons responsible fo… (§ 5 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Regular checks must be performed to see whether all the security safeguards are being applied and implemented as planned in the security concept. This must involve checking that the technical security safeguards (e.g. regarding the configuration) and the organisational regulations (e.g. processes, p… (§ 8.3 Subsection 3 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Implement the security concept by deciding which resources should be used to implement the safeguards. (5 Bullet 5, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • At this point, it should be clearly emphasised that the central roles shown in these diagrams do not need to be performed by different people. Staffing arrangements should reflect the size of the organisation concerned, the existing resources and the desired level of security. The resources planned … (§ 4.2 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • It must be ensured that persons assuming more than one role are adequately qualified and are provided with enough resources to perform their tasks. (§ 4.10 Subsection 2 ¶ 3 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Documentation of decision and time schedule for implementation (§ 3.3.5 Subsection 4 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Stipulate the human resources required for the roles (§ 4.11 Subsection 1 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In order to successfully plan, implement and maintain an information security process, the responsibilities have to be defined clearly. Roles that describe the various tasks that are to be fulfilled to achieve the information security objectives have to be defined. In addition, qualified people must… (§ 4.4 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In case of large projects a Project Security Officer should be appointed to both clarify the security needs within the project and to enable secure inclusion of the project results into the business processes of the organisation. The Project Security Officer can be a member of the project or a membe… (§ 4.6 Subsection 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Check appropriateness of resources provided and the cost-effectiveness of the security strategy and security safeguards (§ 10.3 Subsection 1 Bullet 10, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • After determining the order for implementing the safeguards, it must be defined who will implement which and by when. Experience has shown that the implementation will be delayed significantly or skipped completely without such mandatory specifications. In this case, it must be ensured that the pers… (§ 9.4 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • As the budget for implementing security safeguards is always limited in practice, it is necessary to determine how much will need to be invested and how much labour this will entail for each safeguard that is to be implemented. When recording theses costs, you must differentiate between one-time and… (§ 9.2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The Information Security Officer must have adequate resources to undertake both roles. If necessary the post-holder must be supported by appropriate personnel. (§ 4.4 Subsection 5 ¶ 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • All relevant BAIT requirements and other supervisory requirements shall be applied to all components and areas of the critical service in a clear and comprehensible manner. (II.9.58 ¶ 2, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The PRA recognises that new and growing firms frequently tend to rely more extensively on outsourcing and third party products and services given the benefits they can bring in terms of lower barriers to entry, cost savings, and in some cases increased operational resilience. However, to meet the Th… (§ 3.11, SS2/21 Outsourcing and third party risk management, March 2021)
  • conducting their business in a prudent manner, including having appropriate non-financial (as well as financial) resources. Further guidance on the PRA's approach to the Threshold Conditions is set out in paragraph 21 of 'The PRA's approach to banking supervision' and paragraph 25 of 'The PRA's appr… (§ 4.6 Bullet 3, SS2/21 Outsourcing and third party risk management, March 2021)
  • (§ 4.2.3.2, OGC ITIL: Security Management)
  • to implement the data protection principles in an effective manner, and (§ 57(1)(a), UK Data Protection Act 2018 Chapter 12)
  • perform the tasks mentioned in section 71, and (§ 70(2)(a), UK Data Protection Act 2018 Chapter 12)
  • The controller must provide the data protection officer with the necessary resources and access to personal data and processing operations to enable the data protection officer to— (§ 70(2), UK Data Protection Act 2018 Chapter 12)
  • to implement the data protection principles in an effective manner, and (§ 57(1)(a), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • perform the tasks mentioned in section 71, and (§ 70(2)(a), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • The controller must provide the data protection officer with the necessary resources and access to personal data and processing operations to enable the data protection officer to— (§ 70(2), UK Data Protection Act 2018 Chapter 12, Revised 06/06/2022)
  • Companies in the supply chain should ensure the necessary resources are available to support the operation and monitoring of the supply chain due diligence process. (Supplement on Tin, Tantalum, and Tungsten Step 1: B.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Companies in the supply chain should ensure the necessary resources are available to support the operation and monitoring of the supply chain due diligence process. (Supplement on Gold Step 1: § I.B.2, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • As is the case with respect to criminal law enforcement authorities, Privacy and Civil Liberties Officers exist at all intelligence agencies. The powers of these officers typically encompass the supervision of procedures to ensure that the respective department/agency is adequately considering priva… (3.2.2 (164), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Firstly, Privacy and Civil Liberties Officers exist within various departments with criminal law enforcement responsibilities. While the specific powers of these officers may vary somewhat depending on the authorising statute, they typically encompass the supervision of procedures to ensure that the… (3.1.2 (108), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • The organization must implement written policies and/or documented procedures to ensure access to services covered by the accreditation. (CORE - 34, URAC Health Utilization Management Standards, Version 6)
  • Establish a mix of management, process, human capital, technology, information, and physical actions and controls that serve governance, management, and assurance needs. (OCEG GRC Capability Model, v 3.0, P1 Controls, OCEG GRC Capability Model, v 3.0)
  • Ensure required support and resources, including change management, are furnished to achieve established objectives and follow direction of the plans. (OCEG GRC Capability Model, v 3.0, A5.10 Enable Execution, OCEG GRC Capability Model, v 3.0)
  • Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance. (§ 3 Principle 6 Points of Focus: Operations Objectives - Forms a Basis for Committing of Resources, COSO Internal Control - Integrated Framework (2013))
  • The resources that are needed to establish, implement, operate, and maintain the business continuity management system must be determined and provided by the organization. (§ 3.2.3.1, BS 25999-2, Business continuity management. Specification, 2007)
  • The organization's management must ensure resources are made available to implement and control the organizational resilience management system. These resources include equipment, technology, personnel, intelligence, information, internal infrastructure, and funding. (§ 4.4.1 ¶ 1, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Security event log management should include ensuring the availability of relevant resources. (CF.10.04.03-3, The Standard of Good Practice for Information Security)
  • A Process should be established for providing owners with the necessary skills, tools, staff, and authority to fulfill their responsibilities. (CF.02.05.04a, The Standard of Good Practice for Information Security)
  • The organization should help to ensure the availability of access to information stored in the cloud by investing in robust, reliable Internet connectivity. (CF.16.04.10a, The Standard of Good Practice for Information Security)
  • Security event log management should include ensuring the availability of relevant resources. (CF.10.04.03-3, The Standard of Good Practice for Information Security, 2013)
  • A Process should be established for providing owners with the necessary skills, tools, staff, and authority to fulfill their responsibilities. (CF.02.05.04a, The Standard of Good Practice for Information Security, 2013)
  • The organization should help to ensure the availability of access to information stored in the cloud by investing in robust, reliable Internet connectivity. (CF.16.04.10a, The Standard of Good Practice for Information Security, 2013)
  • ¶ 10 Implementation of the IT Security Plan. The correct implementation of security safeguards relies heavily upon a well structured and documented IT security plan. Security awareness and training associated with each IT system should take place in parallel. When the implementation of the IT secur… (¶ 10, ¶ 10.1, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • The organization shall provide the resources to implement and maintain the quality management system and to meet the customer and regulatory requirements. (§ 6.1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • Top management shall ensure adequate resources have been provided. (§ 3.2, ISO 14971:2007 Medical devices -- Application of risk management to medical devices, 2007)
  • The organization shall identify and provide the infrastructure services and resources needed for implementing and supporting the projects. (§ 6.2.2.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall identify and allocate the resources necessary to achieve the objectives and goals of the project. (§ 6.2.3.3(a)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall request and receive commitments from suppliers for the needed resources to execute the project. (§ 6.3.1.3(d)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall provide adequate resources to conduct Risk Management. (§ 6.3.4.3(a)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall review, approve, and provide the resources necessary to perform plan measurement tasks. (§ 6.3.7.3(a)(6), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Top management shall ensure resources are provided. (§ 4.1.1 ¶ 1(e), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall provide the technical, financial, information, and Human Resources to establish, implement, and maintain the service management system and the services. (§ 4.4.1 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall provide the financial, technical, human, and information resources needed to enhance customer satisfaction. (§ 4.4.1 ¶ 1(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall implement and operate the service management system by managing the information resources, Human Resources, and technical resources. (§ 4.5.3 ¶ 1(c), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The planning for new or changed services shall include or contain a reference to the technical resources, Human Resources, financial resources, and information resources. (§ 5.2 ¶ 3(d), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall determine the resource requirements to implement the selected strategies. The types of resources considered shall include but not be limited to (§ 8.3.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsib… (§ 8.4.4 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • the availability of resources; (§ 6.3 ¶ 2 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • ensuring that the resources needed for the information security management system are available; (§ 5.1 ¶ 1 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • what resources will be required; (§ 6.2 ¶ 4 g), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization should consider the following when allocating resources for risk management: the resources necessary for each step of the risk management process; human resources -- individuals, skills, experience, and competency; the processes, methods, and tools the organization uses for risk man… (§ 4.3.5, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • required resources are available; (§ 4.2.2 ¶ 2 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • decision-making, specifically, the strategic deployment of resources. (§ 6.3.3.2.2 ¶ 2 j), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • defines what resources are required to deliver the value generation objectives and how they should be accessed and allocated; (§ 6.2.3.3 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensuring that the resources needed to establish, implement, maintain and improve the OH&S management system are available; (§ 5.1 ¶ 1 d), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • what resources will be required; (§ 6.2.2 ¶ 1 b), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • adequacy of resources for maintaining an effective OH&S management system; (§ 9.3 ¶ 2 e), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • resources needed; (§ 9.3 ¶ 3 Bullet 4, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • ensuring that the resources needed for the quality management system are available; (5.1.1 ¶ 1(e), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the availability of resources; (6.3 ¶ 2(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • what needs to be obtained from external providers. (7.1.1 ¶ 2(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • determining the resources needed to achieve conformity to the product and service requirements; (8.1 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • what resources will be required; (6.2.2 ¶ 1(b), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • In addition to the guidance of ISO 31000:2018, 5.4.3, top management and oversight bodies, where applicable, should allocate resources and identify individuals: (§ 5.4.3 ¶ 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • ensuring that the resources needed for the IT asset management system are available; (Section 5.1 ¶ 1 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the IT asset management system. (Section 7.1 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall provide the resources required for meeting the IT asset management objectives and for implementing the activities specified in the IT asset management plan(s). (Section 7.1 ¶ 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall determine its information requirements to support its IT assets, IT asset management, IT asset management system and the achievement of its IT asset management objectives and organizational objectives. Requirements may include, but are not limited to financial, purchase, contr… (Section 7.5 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • ensuring that the resources needed for the information security management system are available; (§ 5.1 ¶ 1 c), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • what resources will be required; (§ 6.2 ¶ 4 i), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. (§ 7.1 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • top management should ensure the availability of resources for an effective ISMS. The resources are needed for the establishment of the ISMS, its implementation, maintenance and improvement, as well as for implementing information security controls. Resources needed for the ISMS include: (§ 5.1 Guidance ¶ 1(c), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • the required resources to be committed to execute the activities; (§ 6.2 Guidance ¶ 5 Bullet 2, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • financial resources; (§ 5.1 Guidance ¶ 1(c)(1), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization determines and provides the resources for establishing, implementing, maintaining and continually improving the ISMS. (§ 7.1 Required activity, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • provide the resources; (§ 7.1 Guidance ¶ 1(h), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • maintain the resources across the whole ISMS processes and specific activities; and (§ 7.1 Guidance ¶ 1(i), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • review the provided resources against the needs of the ISMS, and adjust them as required. (§ 7.1 Guidance ¶ 1(j), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • estimate the resources needed for all the activities related to the ISMS in terms of quantity and quality (capacities and capabilities); (§ 7.1 Guidance ¶ 1(f), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • changes of resources or budget for the ISMS; (§ 9.3 Guidance ¶ 6(j), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • define and implement policies and procedures, including implementation of the controls selected; (§ 7.2.1 ¶ 3 Bullet 2, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance. (CC3.1 ¶ 4 Bullet 4 Forms a Basis for Committing of Resources, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization should provide the appropriate resources to implement and support the privacy policies. (ID 1.2.5, AICPA/CICA Privacy Framework)
  • The organization should provide resources to implement and support the privacy policy. (Generally Accepted Privacy Principles and Criteria § 1.2.8, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Management should review budgets, personnel assignments, and other resources on an annual basis. (Table Ref 1.2.8, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should provide resources to implement and support the privacy policy. (Table Ref 1.2.8, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Verify the organization has devoted sufficient and appropriate resources for developing, communicating, and supporting the Quality Control policies and procedures. (Ques. AT402(c), Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance. (CC3.1 Forms a Basis for Committing of Resources, Trust Services Criteria)
  • Management uses operations objectives as a basis for allocating resources needed to attain desired operations and financial performance. (CC3.1 ¶ 4 Bullet 4 Forms a Basis for Committing of Resources, Trust Services Criteria, (includes March 2020 updates))
  • The entity has established procedures to evaluate the competency of personnel responsible for designing, developing, implementing, operating, maintaining, and monitoring the system affecting [insert the principle(s) addressed by the engagement: security, availability, processing integrity, confident… (CC1.3, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Principle: Firms should establish and implement a cybersecurity governance framework that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks. The framework should include defined risk management policies, processes and structures coupl… (Governance and Risk Management for Cybersecurity, Report on Cybersecurity Practices)
  • Does the Business Continuity and Disaster Recovery program include an annual management review of the Business Continuity program for adequacy of resources (people, technology, facilities, and funding)? (§ K.1.2.1, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Are reasonable resources (in time and money) allocated to mitigating identified privacy risks? (§ P.6.2, Shared Assessments Standardized Information Gathering Questionnaire - P. Privacy, 7.0)
  • End user product support documentation shall be made available in alternate formats upon request, at no additional charge. End users shall have access to product descriptions of accessibility and compatibility features in alternate formats/methods upon request, at no additional charge. (§ 1194.41(a), § 1194.41(b), 36 CFR Part 1194 Electronic and Information Technology Accessibility Standards)
  • Senior management must provide adequate resources and training to ensure segregation of duty principles are established, understood, enforced, and institutionalized. (CSR 4.6.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The Director of the Office of Management and Budget must oversee agency information security policies and practices, including the coordination of the development of standards and guidelines. This authority does not apply to national security systems. (§ 3543(a)(3), § 3543(b), Federal Information Security Management Act of 2002, Deprecated)
  • A medical device manufacturer shall provide adequate resources to meet the requirements, including, but not limited to, assigning trained personnel, internal quality audits, performance of work, and assessment activities. (§ 820.20(b)(2), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Documentation shall be made available to persons who are responsible to implement the procedures in the documentation. (§ 164.316(b)(2)(ii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Management must identify and provide the appropriate software development environment and resources. (§ 5.2.1 ¶ 2, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Ensure additional resources for all incidents affecting FBI CJIS Division controlled systems as needed. (§ 5.3.1.1.1 ¶ 1 (3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Management should evaluate whether there are appropriate resources to ensure resilience, including an accessible, off-site repository of software, configuration settings, and related documentation, appropriate backups of data, and off-site infrastructure to operate recovery systems. (IV.A Action Summary ¶ 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the board provides adequate funding to develop and implement a successful information security function. Review whether the institution has the following: (App A Objective 2.9, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether the institution's board and management understand and support information security and provide appropriate resources for the implementation of an effective security program. (App A Objective 2.1.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Evaluates whether the institution has the necessary resources, personnel training, and testing to maximize the effectiveness of the controls. (App A Objective 6.5.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should promote effective IT governance by doing the following: - Establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution's information and systems. - Clearly defining and communicati… (I Governance of the Information Security Program, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Are there implemented policies, procedures, and practices to maintain compatibility throughout the credit union's system environment? (IT -Networks Q 32, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Resources required to manage AI risks are taken into account – along with viable non-AI alternative systems, approaches, or methods – to reduce the magnitude or likelihood of potential impacts. (MANAGE 2.1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • The organization should give LAN management the necessary resources, funding, and time. (§ 1.5.5 ¶ 3, FIPS Pub 191, Guideline for the Analysis of Local Area Network (LAN) Security)
  • Utilize technical documentation or resources to implement a new mathematical, data science, or computer science method. (T0392, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must implement the security directives in predetermined time periods or notify the issuing organization the degree of noncompliance. (App F § SI-5.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must ensure information security resources are available for expenditure. (App G § PM-3.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization allocates {organizationally documented allocation of budget and staffing} sufficient resources to implement and operate the organization-wide privacy program. (AR-1c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Allocates [Assignment: organization-defined allocation of budget and staffing] sufficient resources to implement and operate the organization-wide privacy program; (AR-1c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies (GV.RR-03, The NIST Cybersecurity Framework, v2.0)
  • Determine the resources required to correct a control deficiency. The corrective action plan must indicate the types of resources needed (e.g., additional personnel, contract support, training, etc.), including non-financial resources, such as Senior Leadership support for correcting the control def… (Section V (B) ¶ 3 Bullet 2, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Ensure sufficient resources, to include trained staff and equipment, are provided to effectively execute the corporate security program; (2 ¶ 1 Bullet 2, Pipeline Security Guidelines)
  • the amount of resources available to such company, (§ 38a-999b(b)(1)(B), Connecticut General Statutes Title 38a, Chapter 705, Section 38a - 999b, Comprehensive information security program to safeguard personal information. Certification. Notice requirements for actual or suspected breach. Penalty.)
  • confirming that the covered entity's management has allocated sufficient resources to implement and maintain an effective cybersecurity program. (§ 500.4 Cybersecurity Governance (d)(4), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)