Refrain from assigning roles and responsibilities that breach segregation of duties.
CONTROL ID 12055
CONTROL TYPE Human Resources Management
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain an ethics program., CC ID: 11496
This Control has the following implementation support Control(s):
Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs., CC ID: 12061
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer., CC ID: 12060
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer., CC ID: 12059
Prohibit roles from performing activities that they are assigned the responsibility for approving., CC ID: 12052
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Banks should form a separate information security function/group to focus exclusively on information security management. There should be segregation of the duties of the Security Officer/Group dealing exclusively with information systems security and the Information Technology Division which actual… (Information security team/function ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and object… (3.3.1 11 ¶ 1, Final Report EBA Guidelines on ICT and security risk management)
Implement a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorised duties relevant to their respective jobs and positions. (PO4.11 Segregation of Duties, CobiT, Version 4.1)