Back

Define the objectives and extent of outsourcing operational roles and responsibilities.


CONTROL ID
06383
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization shall define the objectives and extent of outsourcing the development and operations of computer systems before outsourcing them. (O87, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Banks should form a separate information security function/group to focus exclusively on information security management. There should be segregation of the duties of the Security Officer/Group dealing exclusively with information systems security and the Information Technology Division which actual… (Information security team/function ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and (4.6 36(e), Final Report on EBA Guidelines on outsourcing arrangements)
  • It must then be established whether and to what extent any external parties need to be involved in ascertaining the implementation status. For example, this might be necessary if there are any external computer centres, external parent organisations, companies to which parts of business processes or… (§ 8.4.1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Determine to what extent external assistance is required (§ 8.4.1 Subsection 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • the processes and activities that are to be outsourced (including the scope and boundaries of the outsourced processes and activities and their interfaces with the organization's own processes and activities); (Section 8.7 ¶ 3(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The role of the criminal justice information services systems officer shall not be outsourced. (§ 3.2.2, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The criminal justice agency shall not outsource the responsibility for the management of approved security requirements. (§ 3.2.2(3)(a), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The criminal justice agency shall not outsource the responsibility for the management control of network security. (§ 3.2.2(3)(b), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • A CGA is a government agency, whether a CJA or a NCJA, that enters into an agreement with a private contractor subject to the CJIS Security Addendum. The CGA entering into an agreement with a contractor shall appoint an agency coordinator. (§ 3.2.6 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Receive information from the CGA (e.g., system updates) and disseminate it to appropriate Contractor employees. (§ 3.2.7 ¶ 1(3), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The CSO is an individual located within the CSA responsible for the administration of the CJIS network for the CSA. Pursuant to the Bylaws for the CJIS Advisory Policy Board and Working Groups, the role of CSO shall not be outsourced. The CSO may delegate responsibilities to subordinate agencies. Th… (§ 3.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • A Covered Entity may choose to utilize an Affiliate or qualified Third Party Service Provider to assist in complying with the requirements set forth in this Part, subject to the requirements set forth in section 500.11 of this Part. (§ 500.10 Cybersecurity Personnel and Intelligence (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)