Include personnel security procedures in the internal control framework.

Back

CONTROL ID
01349

CONTROL TYPE
Establish/Maintain Documentation

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain an internal control framework., CC ID: 00820

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

The organization should develop Standard Operating Procedures for the information technology security managers, the information technology security officers, the System Administrators, and the users. (Control: 0051, Australian Government Information Security Manual: Controls)
The Standard Operating Procedures for the System Administrator should include, at a minimum, the following: securing the system after hours; implementing access rights; adding and removing users; setting user privileges; making appropriate changes after a user leaves the organization; backing up dat… (§ 2.6.5, § 2.6.12, Australian Government ICT Security Manual (ACSI 33))
Verify the existence of daily operational security procedures in the security policy and that they include administrative and technical procedures for each of the requirements. (§ 12.2.a, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
Verify the Information Security policies clearly define each person's Information Security responsibilities. (Testing Procedures § 12.4.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
The organization must ensure the security policy contains daily operational security procedures in accordance with the PCI DSS requirements. (§ 12.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Verify the existence of daily operational security procedures in the security policy and that they include administrative and technical procedures for each of the requirements. (§ 12.2 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
The security policy and procedures must clearly define all personnel's Information Security responsibilities. (PCI DSS Requirements § 12.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
Do security policy and procedures clearly define information security responsibilities for all personnel? (PCI DSS Question 12.4, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
Do security policy and procedures clearly define information security responsibilities for all personnel? (PCI DSS Question 12.4, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
Do security policy and procedures clearly define information security responsibilities for all personnel? (PCI DSS Question 12.4, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
Do security policy and procedures clearly define information security responsibilities for all personnel? (PCI DSS Question 12.4, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
Do security policy and procedures clearly define information security responsibilities for all personnel? (PCI DSS Question 12.4, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
Do security policy and procedures clearly define information security responsibilities for all personnel? (PCI DSS Question 12.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
Do security policy and procedures clearly define information security responsibilities for all personnel? (PCI DSS Question 12.4, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
Do security policy and procedures clearly define information security responsibilities for all personnel? (PCI DSS Question 12.4, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
Local information security co-ordinators shall have documented standards / procedures to support day-to-day Information Security activities. (CF.12.02.03d, The Standard of Good Practice for Information Security)
The information security policy should define associated responsibilities. (CF.01.01.02-2, The Standard of Good Practice for Information Security)
Local information security co-ordinators shall have documented standards / procedures to support day-to-day Information Security activities. (CF.12.02.03d, The Standard of Good Practice for Information Security, 2013)
The information security policy should define associated responsibilities. (CF.01.01.02-2, The Standard of Good Practice for Information Security, 2013)
Descriptions of the product security environment in documentation should identify and explain all organizational security policies in terms of rules, practices, and/or guidelines. (§ 8.3.2.3.3, § 9.3.2.3.3, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
The system security plan must clearly identify who is responsible for managing access to computer resources and who owns the resources. The system security plan must clearly define the security roles, responsibilities, and expectations for information resources management and data processing personn… (CSR 1.5.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Create a MFD/printer Security Policy. This policy should contain procedures for acceptable use of device storage and retransmission of data; verification that devices are not being shared on networks of different classification levels; procedures for scrubbing or disposing of hard disks when devices… (MFD06.002, Multi-Function Device (MFD) and Printer Checklist for Sharing Peripherals Across the Network Security Technical Implementation Guide, Version 1 Release 1.3)
Is the written security program designed to protect the Credit Union office from burglaries, robberies, embezzlement, and larcenies? (IT - 748 Compliance Q 1a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
In the security policy, the organization should identify the role of each employee for ensuring the LAN and the information it carries are adequately protected. (§ 1.5.5 ¶ 2, FIPS Pub 191, Guideline for the Analysis of Local Area Network (LAN) Security)
The security awareness and training policy must include the roles, objectives, and responsibilities for the program as it relates to protecting assets and personnel. (SG.AT-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. (MA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. (MA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
The organization documents in the security plan for the information system, the policies and procedures for the establishment and use of nonlocal maintenance and diagnostic connections. (MA-4(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)