Back

Define and assign the technology security leader's roles and responsibilities.


CONTROL ID
01897
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • O3: The organization shall establish a security management system that designates the individuals and offices that will be in charge of security management and defines the scope of their tasks, responsibilities, and authority. O3.2: The organization shall establish a security management system and … (O3, O3.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization must designate an information technology security manager as the Information Technology Security Advisor who is responsible for information technology security management across the organization. (Control: 0013, Australian Government Information Security Manual: Controls)
  • The organization must appoint at least 1 individual as the information technology security officer who is responsible for administering and configuring systems and analyzing and reporting on Information Security issues. (Control: 0768, Australian Government Information Security Manual: Controls)
  • The policy framework might include the Information Technology security-specific roles, e.g., Information Technology officer, Information Technology manager, specialists, administrators. (¶ 27(i)(ii), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • IT security-specific roles: IT security manager/officer, administrators, specialists; (¶ 27(i)(ii), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The Security Officer should have detailed knowledge of and experience with the operating systems, access controls, and auditing features of the organization's systems and have no other roles or responsibilities. The Security Officer should be responsible for identifying and recommending security imp… (§ 2.1.8, § 2.1.9, § 2.1.12 thru § 2.1.17 , § 2.6.5, § 2.6.10, Australian Government ICT Security Manual (ACSI 33))
  • IT Security Officer (CISO) (Section 5.1 OIS-03 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • The information security administrator must be appointed by the data controller and must supervise the compliance with the required security principles. (Art 35.3, Poland Protection of Personal Data Act)
  • The organization must designate a Security Officer who is responsible for the day-to-day aspects of protective security. (Mandatory Requirement 4, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must immediately report the appointment of a new departmental security officer. (Mandatory Requirement 7.a, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must designate an information technology security officer. this individual is responsible for securing information in electronic form. (Mandatory Requirement 35.c, HMG Security Policy Framework, Version 6.0 May 2011)
  • ¶ 6: The contractor must appoint the following individuals: • A security controller. This individual must be a British citizen and is responsible to the board level contact for day-to-day security aspects. • A clearance contact. This individual is responsible for coordinating the security cle… (¶ 6.b, ¶ 6.c, ¶ 6.e, ¶ 6.g, ¶ 9, ¶ 50, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • The organization is required to nominate two individuals: a security controller for day-to-day aspects and a board contact who accepts responsibility for security and to whom the security controller reports. The security controller role is unlikely to be full-time, except in large organizations, and… (App 3 ¶ 14, The Contractual process, Version 5.0 October 2010)
  • What is the authority of the Chief Information Security Officer to enforce corporate policy and procedure regarding cyber risk and security? (Table Row I.6, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • If you do not have a Chief Information Security Officer who is responsible for cyber-security, what role does that person play? (Table Row I.7, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The Chief Information Security Officer (CISO) is responsible for developing and implementing the information security policy with the Chief Security Officer; controlling and coordinating information security resources; ensuring information security and business objectives are properly aligned; manag… (§ 7.2.5, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The information systems security manager should administer the daily operational tasks; assess the performance of the information systems security policy; and provide overall management of the information systems security policy. The system security manager should be responsible for the daily securi… (Pg 12-IV-3 thru Pg 12-IV-5, Pg 23-VI-5, Revised Volume 1 Pg 2-II-2, Protection of Assets Manual, ASIS International)
  • The chief information security officer should ensure the ongoing effectiveness of information security arrangements by monitoring security performance using information that is timely and accurate. (SG.01.02.07d, The Standard of Good Practice for Information Security)
  • The chief information security officer should ensure the ongoing effectiveness of information security arrangements by monitoring security performance using information that is timely and accurate. (SG.01.02.07e, The Standard of Good Practice for Information Security, 2013)
  • Outsourced service providers should ensure that a security function and role has been implemented for monitoring and controlling logical access, to include periodically analyzing log files and other checks of selected ICT systems. (§ 7.5.8(a), ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Information security responsibilities should be clearly defined to include the assets and security processes associated with each system, authorization levels, and the entity responsible for each asset. (§ 6.1.3, ISO 27002 Code of practice for information security management, 2005)
  • The organization has designated appropriate roles and responsibilities, including an individual responsible for cybersecurity for the organization. (Roles and Responsibilities (GV.RR), CRI Profile, v1.2)
  • The organization has designated a Cybersecurity Officer (e.g., CISO) who is responsible and accountable for developing cybersecurity strategy, overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy. (GV.RR-2.1, CRI Profile, v1.2)
  • The organization has designated a Cybersecurity Officer (e.g., CISO) who is responsible and accountable for developing cybersecurity strategy, overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy. (GV.RR-2.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The Information Systems Security Program Manager should establish the Information Systems Security (ISS) program; procedures for accrediting all systems; a training and awareness program; and ISS guidance. The Information Systems Security Manager should oversee the ISS training and awareness program… (§ 1-6.d(1), § 1-6.d(2), Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • § 2.2: CMS business partners shall designate a primary system security officer (SSO) to manage the Medicare information security program and ensure safeguards are implemented. The SSO shall be organizationally independent from the information technology operations and cannot have responsibility for… (§ 2.2, App A § 8.2, CMS Business Partners Systems Security Manual, Rev. 10)
  • At a minimum, the Information system security officer/system security officer is responsible for assisting the chief information security officer (CISO) in identifying, implementing, and assessing security controls; liaising between the business owners and the CISO; and taking an active role in deve… (§ 1.3, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • CSR 1.5: The organization shall clearly assign information security responsibilities. CSR 1.5.2: The organization must designate a system security officer who is qualified to manage the Medicare system security program at an overall level and subordinate levels and to verify necessary safeguards are… (CSR 1.5, CSR 1.5.2, CSR 1.5.4, CSR 1.5.5, CSR 1.5.7, CSR 2.13.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The Information System Security Officer/System Security Officer is responsible for: assisting the Chief Information Security Officer (CISO) in identifying, implementing, and assessing security controls; liasoning with business owners and the CISO; and assisting in the system accreditation. (§ 1.4, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • The senior agency information security officer must carry out the Chief Information Officer's responsibilities; possess professional qualifications; have the primary duty of information security; and head an office that will assist in ensuring agency compliance. (§ 3544(a)(3)(A), Federal Information Security Management Act of 2002, Deprecated)
  • The Information Assurance Manager must track the privileged role assignments. (ECPA-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The Information Systems Security Officer (ISSO) responsibilities are assigned by the Information Systems Security Manager. The responsibilities may include identifying and documenting unique threats; ensuring security measures are implemented; performing risk assessments; developing certification te… (§ 8-104, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The criminal justice information services systems officer shall ensure that a local agency security officer has been appointed in each agency that have access to criminal justice information. (§ 3.2.2(2)(e), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The federal bureau of investigation criminal justice information services division information security officer shall be the liaison with each agencies' Information Security Officer and provide them with technical guidance on operational and technical policy issues. (§ 3.2.10(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • An AC is a staff member of the CGA who manages the agreement between the Contractor and agency. The AC shall be responsible for the supervision and integrity of the system, training and continuing education of employees and operators, scheduling of initial training and testing, and certification tes… (§ 3.2.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The CSO is an individual located within the CSA responsible for the administration of the CJIS network for the CSA. Pursuant to the Bylaws for the CJIS Advisory Policy Board and Working Groups, the role of CSO shall not be outsourced. The CSO may delegate responsibilities to subordinate agencies. Th… (§ 3.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • An AC is a staff member of the CGA who manages the agreement between the Contractor and agency. The AC shall be responsible for the supervision and integrity of the system, training and continuing education of employees and operators, scheduling of initial training and testing, and certification tes… (§ 3.2.7 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The IT function should have ownership and accountability for testing the recovery of the IT systems and maintaining the test environment. (Pg H-2, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The information security officer should report directly to the Board of Directors or senior management rather than through the IT department to maintain his/her independence. (Pg 9, FFIEC IT Examination Handbook - Management)
  • Does the Credit Union Information Technology policy include designating a Security Officer to be responsible for ensuring compliance to policies? (IT - Policy Checklist Q 2, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has responsibility for monitoring compliance with security policies, procedures, and practices been clearly defined? (IT - Security Program Q 22, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Identify the individual who has final responsibility for security. (§ 4.2.1 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The organization must assign responsibilities for system administrators to enroll new clients, delete inactive accounts, and identify and correct system malfunctions. (§ 8.4 ¶ 1, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
  • The Senior Agency Information Security Officer should ensure that the disposition and sanitization requirements in the information security policy are implemented and are tested in a timely manner. The Information System Security Officer should coordinate the day-to-day security of the system(s) he/… (§ 3.5, § 3.6, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • The senior information security officer is responsible for coordinating with the common control providers to ensure required controls are developed, implemented, and assessed for effectiveness. (§ 2.3 ¶ 5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Information systems security officers (ISSOs) are responsible for overseeing the organization's security programs; playing a leading role in identifying, evaluating, and minimizing system risks; and acting as primary consultants to senior management. IT security practitioners are responsible for imp… (§ 2.3, Risk Management Guide for Information Technology Systems, NIST SP 800-30, July 2002)
  • § A.3.a.1: Responsibility for each general support system's security shall be assigned to an individual who is knowledgeable in the system and in providing security for the system. § A.3.b.1: Responsibility for the security of major applications shall be assigned to a management official who is k… (§ A.3.a.1, § A.3.b.1, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)