Back

Delegate authority for specific processes, as necessary.


CONTROL ID
06780
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Assign and staff all roles appropriately., CC ID: 00784

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The licensed corporation should designate at least two individuals, being Managers-In-Charge of Core Functions (MICs) in Hong Kong, who have the knowledge, expertise and authority to access all of the Regulatory Records kept with an EDSP at any time, and who can ensure that the SFC has effective acc… (7.(g), Circular to Licensed Corporations - Use of external electronic data storage)
  • Accountability for security is increased through clear job descriptions, employment agreements and policy awareness acknowledgements. It is important to communicate the general and specific security roles and responsibilities for all employees within their job descriptions. The job descriptions for … (Critical components of information security 1) 3), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that designation. (Part III Section 11 (4), Singapore Personal Data Protection Act 2012 (No. 26 of 2012))
  • An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that designation. (§ 11.(4), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • The organization should have a quality management committee that is granted authority for quality management by the organization's oversight authority. (CORE - 20(a), URAC Health Utilization Management Standards, Version 6)
  • Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It s… (PO4.1 IT Process Framework, CobiT, Version 4.1)
  • ensure that the compliance function has authority to act independently and is not compromised by conflicting priorities, particularly where compliance is embedded in the business. (§ 5.3.3 ¶ 1 e), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • authority and responsibility for the design, consistency and integrity of the compliance management system; (§ 5.3.3 ¶ 1 d) 1), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • When delegating, the governing body should delegate in a manner which increases trust and transparency. For delegation and accountability (see 6.5) to be effective, the governing body should ensure that the following conditions are fulfilled: (§ 4.2.2 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder… (§ 4.3.1 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • delegating as necessary; (§ 6.3.3.2.1 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that effective delegation is practised (see 4.2.2), as this is necessary for accountability. (§ 6.5.3.1 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Top management should regularly ensure that the responsibilities and authorities for the ISMS are assigned so that the management system fulfils the requirements stated in ISO/IEC 27001. Top management does not need to assign all roles, responsibilities and authorities, but it should adequately dele… (§ 5.3 Guidance ¶ 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The governing body should seek assurance that active oversight of such controls is delegated to an appropriately resourced member of staff who has the authority to make or instigate responses to issues identified. The use of automated decision-making, delivered by an AI system, does not alter the ac… (§ 6.3 ¶ 5, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • In an entity that has a single board of directors, the board delegates to management the authority to design and implement practices that support the achievement of strategy and business objectives. In turn, management defines roles and responsibilities for the overall entity and its operating units… (Authority and Responsibilities ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Delegates responsibility only to the extent required to achieve the entity's strategy and business objectives (e.g., the review and approval of new products involves the business and support functions, separate from the sales team). (Authority and Responsibilities ¶ 5 Bullet 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management delegates responsibility and tasks to enable personnel to make decisions. Periodically, management may revisit its structures by reducing or adding layers of management, delegating more or less responsibility and tasks to lower levels, or partnering with other entities. (Authority and Responsibilities ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Controls are suitably designed if they have the potential to meet the applicable trust services criteria, thereby enabling the service organization's controls to provide reasonable assurance that the service organization's service commitments and system requirements were achieved. Suitably designed … (¶ 3.106, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Where allowed by standards CIP-002-3 through CIP-009-3, the senior manager may delegate authority for specific actions to a named delegate or delegates. (§ R2.3, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
  • The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including the n… (B. R4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • The Responsible Entity shall implement a documented process to delegate authority, unless no delegations are used. Where allowed by the CIP Standards, the CIP Senior Manager may delegate authority for specific actions to a delegate or delegates. These delegations shall be documented, including the n… (B. R4., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • The State or local educational authority or agency headed by an official listed in §99.31(a)(3) must use a written agreement to designate any authorized representative, other than an employee. The written agreement must— (§ 99.35(a)(3), 34 CFR Part 99, Family Education Rights Privacy Act (FERPA))
  • The CSO is an individual located within the CSA responsible for the administration of the CJIS network for the CSA. Pursuant to the Bylaws for the CJIS Advisory Policy Board and Working Groups, the role of CSO shall not be outsourced. The CSO may delegate responsibilities to subordinate agencies. Th… (§ 3.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Records of individual basic security awareness training and specific information system security training shall be documented, kept current, and maintained by the CSO/SIB Chief/Compact Officer. Maintenance of training records can be delegated to the local level. (§ 5.2.3 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The CSO is an individual located within the CSA responsible for the administration of the CJIS network for the CSA. Pursuant to the Bylaws for the CJIS Advisory Policy Board and Working Groups, the role of CSO shall not be outsourced. The CSO may delegate responsibilities to subordinate agencies. Th… (§ 3.2.2 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Authority. (App A Objective 2:10d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • If the board delegates certain activities regarding the oversight of IT to a committee, review the membership, responsibilities, and activities of the committee. Specifically, determine whether the committee does the following: (App A Objective 2:6, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Training and managing employees in security program practices and procedures; (§ 646A.622(2)(d)(A)(iv), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)