Back

Define and assign the security staff roles and responsibilities.


CONTROL ID
11750
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • These regulations must be reviewed and revised in light of environmental changes. (C1.4. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It is necessary to establish a security management system and designate security managers, as appropriate for the size and structure of the organization, under the overall control of the person who is responsible for security for the company as a whole. (C4.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Performing or delegating the following - day-to-day security administration, approval of exception access requests, appropriate actions on security violations when notified by the security administration, the review and approval of all changes to the application prior to being placed in the producti… (Application owner ¶ 1 Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • IT security-specific roles: IT security manager/officer, administrators, specialists; (¶ 27(i)(ii), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • IT security roles and responsibilities that may include: (¶ 27(i), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • risk management, assurance and compliance roles; and (¶ 27(i)(iv), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • the person(s) and/or committees that are responsible and/or accountable for the day to day ICT security management and the elaboration of the overarching ICT security policies, with attention for their needed independence; (Title 3 3.3.4(b) 55.a(i), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • At a minimum, at least one individual shall be responsible for health information security within the organization. (§ 6.1.1 Health-specific control ¶ 2, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • determine the expected competence for each role within the ISMS and decide if it needs to be documented (e.g. in a job description); (§ 7.2 Guidance ¶ 1(a), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The cloud service customer should confirm the information security roles and responsibilities relating to the cloud service, as described in the service agreement. These can include the following processes: – malware protection; – backup; – cryptographic controls; – vulnerability management;… (§ 15.1.2 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Personnel and training (CIP-004); (B. R1. 1.1 1.1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Personnel and training (CIP-004); (B. R1. 1.1 1.1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Perform other related duties outlined by the user agreements with the FBI CJIS Division. (§ 3.2.2 ¶ 1(2)(i), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Information security roles and responsibilities have been identified. (Domain 1: Assessment Factor: Resources, STAFFING Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Determine whether security officers and employees know, understand, and are accountable for fulfilling their security responsibilities. (App A Objective 2.7, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Establishing responsibility and accountability for security personnel and system administrators for monitoring. (App A Objective 8.4.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management has security operations that encompass necessary security-related functions, are guided by defined processes, are integrated with lines of business and activities outsourced to third-party service providers, and have adequate resources (e.g., staff and technology). (App A Objective 8, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should design policies and procedures to effectively manage security operations with the following characteristics: - Broadly scoped to address all ongoing security-related functions. - Guided by defined processes. - Integrated with lines of business and third parties. - Appropriately… (III Security Operations, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., FedRAMP Security Controls High Baseline, Version 5)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., FedRAMP Security Controls Low Baseline, Version 5)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. (ID.BE Business Environment, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • The organization's mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions. (ID.BE Business Environment, Framework for Improving Critical Infrastructure Cybersecurity, v1.1 (Draft))
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Define and document information security and privacy roles and responsibilities throughout the system development life cycle; (SA-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b., TX-RAMP Security Controls Baseline Level 1)
  • Defines and documents information security roles and responsibilities throughout the system development life cycle; (SA-3b., TX-RAMP Security Controls Baseline Level 2)