Back

Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program.


CONTROL ID
13112
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The establishment of the above system must be ordered and approved by management. (C4.1. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Developing and facilitating the implementation of information security policies, standards and procedures to ensure that all identified risks are managed within a bank's risk appetite (Information Security Committee ¶ 3 Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Banks should form a separate information security function/group to focus exclusively on information security management. There should be segregation of the duties of the Security Officer/Group dealing exclusively with information systems security and the Information Technology Division which actual… (Information security team/function ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and busin… (3.2.1 2, Final Report EBA Guidelines on ICT and security risk management)
  • The policy should include a description of the main roles and responsibilities of information security management, and it should set out the requirements for staff and contractors, processes and technology in relation to information security, recognising that staff and contractors at all levels have… (3.4.1 29, Final Report EBA Guidelines on ICT and security risk management)
  • the person(s) and/or committees that are responsible and/or accountable for the day to day ICT security management and the elaboration of the overarching ICT security policies, with attention for their needed independence; (Title 3 3.3.4(b) 55.a(i), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the protection of critical ICT systems and services by adopting for example a vulnerability assessment process, software patch management, end point protection (e.g. malware virus), Intrusion detection and prevention tools; (Title 3 3.3.4(b) 55.a(iii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • a list of the various actors involved in the implementation of the national strategy on the security of network and information systems. (Art. 7.1(g), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • The topmost management level must initiate, manage and supervise the security process. This, for example, involves the following tasks: (§ 4.1(2) ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The topmost management level of every government agency and company is responsible for the organisation working in a targeted and proper manner and is therefore also responsible for assuring information security both on the inside and out. Depending on the country and type of organisation, this can … (§ 4.1(1) ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The overall responsibility for information security remains with the management level. (§ 7.2 ¶ 2(1), BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • In order to secure direct access to the organisation's management, the role of the ISO should be organised as an executive department. At management level, the information security role should be clearly assigned to one responsible manager whom the ISO directly reports to. (§ 7.2 ¶ 3, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Achieving and/or maintaining an appropriate and sufficient level of information security in the organisation requires a planned approach on the one hand and an adequate organisational structure on the other hand. Furthermore, it is required to define security objectives and a strategy for achieving … (§ 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The management level must initiate, control and monitor the security process. This requires strategic guiding statements regarding the information security, on the one hand, and general organisational conditions, on the other. The structure of a functional security process and reasonable organisatio… (§ 2.6 Subsection 1 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The top management level must initiate, control and monitor the security process. The management level is the instance that takes decisions on handling risks and must provide the relevant resources. The responsibility for information security remains on such level. However, the operative tasks of "i… (§ 3.1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Since the security policy represents a central strategy paper for information security in an organisation, it must be designed such that all addressed organisational units can identify with its content. Therefore, as many departments as possible should be involved in its preparation. After all, each… (§ 3.4.1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The management level accepts overall responsibility for information security. (§ 3.1 Subsection 3 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Identification with the objectives of information security, overview of the tasks and goals of the organisation. (§ 4.4 Subsection 2 ¶ 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • It is recommended to install the position of the Information Security Officer as a staff department, i.e. a position directly allocated to the management level, which does not receive orders from other bodies. In any case the ISO must have the direct right of recitation at any time with the manageme… (§ 4.4 Subsection 4 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Many subtasks of security management directly depend on tasks of IT operations. The ISO creates specifications for secure operation of IT systems and networks, and the IT operations must implement these specifications. Thus, security management and IT operations must closely collaborate and regularl… (§ 4.10 Subsection 1 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • determining information on training and awareness needs of employees in the ICS area and initiating activities, and (§ 4.7 ¶ 8 Bullet 9, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • One of the main tasks of the security management is to show the information security risks to the management level and to correspondingly create transparency regarding required decisions or actions. For this, the ISO must get an overview on the business processes and/or specialised tasks that are es… (§ 8.1.2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The institution shall ensure that appropriate staff, in terms of both quality and quantity, are available for information risk management, information security management, IT operations and application development in particular. (II.2.5, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The institution shall establish an information security officer function. This function is responsible for all information security issues within the institution and with regard to third parties. It ensures that information security objectives and measures defined in the institution's IT strategy, i… (II.4.18, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Assign to an individual or team the following information security management responsibilities: (12.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Assign to an individual or team the following information security management responsibilities: (12.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Examine information security policies and procedures to verify: - The formal assignment of information security to a Chief Security Officer or other security-knowledgeable member of management. - The following information security responsibilities are specifically and formally assigned: (12.5, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities. (12.1.3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine the information security policy to verify that they clearly define information security roles and responsibilities for all personnel. (12.1.3.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities. (12.1.3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities. (12.1.3, Self-Assessment Questionnaire B and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities. (12.1.3, Self-Assessment Questionnaire B-IP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities. (12.1.3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities. (12.1.3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities. (12.1.3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The security policy clearly defines information security roles and responsibilities for all personnel, and all personnel are aware of and acknowledge their information security responsibilities. (12.1.3, Self-Assessment Questionnaire P2PE and Attestation of Compliance for use with PCI DSS Version 4.0)
  • reporting on the performance of the information security management system to top management. (§ 5.3 ¶ 2 b), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • reporting on the performance of the information security management system to top management. (§ 5.3 ¶ 2 b), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Top management should regularly ensure that the responsibilities and authorities for the ISMS are assigned so that the management system fulfils the requirements stated in ISO/IEC 27001. Top management does not need to assign all roles, responsibilities and authorities, but it should adequately dele… (§ 5.3 Guidance ¶ 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • determine the preliminary scope: this activity should be conducted by a small, but representative group of management representatives; (§ 4.3 Guidance ¶ 1(f), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • top management should support persons to whom roles and responsibilities relating to information security management have been assigned, so that they are motivated and able to direct and support information security activities within their area. (§ 5.1 Guidance ¶ 1(h), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • approval of the scope: the documented information describing the scope should be formally approved by top management. (§ 4.3 Guidance ¶ 1(i), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • coordinating the establishment, implementation, maintenance, performance reporting, and improvement of the ISMS; (§ 5.3 Guidance ¶ 2(a), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • results of information security risk assessment(s) and status of information security risk treatment plan; and (§ 9.3 Guidance ¶ 4(e), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Organization has appointed a manager responsible for cybersecurity efforts within the organization, including authority, sufficient budget, and access to the executive suite and appropriate governing authority (e.g., the Board or one of its committees). (GV.RR-2, CRI Profile, v1.2)
  • ensure that senior agency officials, including chief information officers of component agencies or equivalent officials, carry out responsibilities under this subchapter as directed by the official delegated authority under paragraph (3); and (§ 3554(a)(6), Federal Information Security Modernization Act of 2014)
  • Designated members of management are held accountable by the board or an appropriate board committee for implementing and managing the information security and business continuity programs. (Domain 1: Assessment Factor: Governance, OVERSIGHT Baseline 1 ¶ 1, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Establishment of appropriate policies, standards, and procedures to support the information security program. (App A Objective 2.5.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether the board, or a committee of the board, is responsible for overseeing the development, implementation, and maintenance of the institution's information security program. (App A Objective 2.2, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Central oversight and coordination. (App A Objective 2.3.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management of the information security program is appropriate and supports the institution's ITRM process, integrates with lines of business and support functions, and integrates third-party service provider activities with the information security program. (App A Objective 3, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Departmental management and the quality of internal controls, including separation of duties and dual control procedures, for bankcard, ATM and debit card, ACH, check items, and electronic banking payment transaction processing, clearance, and settlement activity. (App A Tier 1 Objectives and Procedures Objective 3:1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Departmental management and the quality of information security and GLBA 501(b) compliance policies relating to retail payment system-generated customer data. (App A Tier 1 Objectives and Procedures Objective 3:1 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Established management accountability throughout the business line, including an established process to report monitoring conclusions and exceptions to executive management; (App A Tier 2 Objectives and Procedures M.4 Bullet 1 Sub-Bullet 5, Sub-Sub Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Oversee the development, implementation, and maintenance of the credit union's information security program, including assigning specific responsibility for its implementation and reviewing reports from management. (§ 748 Appendix A. III.A.2., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Lead and oversee information security budget, staffing, and contracting. (T0135, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide leadership in the planning, design and evaluation of privacy and security related projects (T0897, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collaborate on cyber privacy and security policies and procedures (T0871, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Synchronize cyber portions of security cooperation plans. (T0826, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Lead and oversee information security budget, staffing, and contracting. (T0135, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Collaborate on cyber privacy and security policies and procedures (T0871, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide leadership in the planning, design and evaluation of privacy and security related projects (T0897, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Synchronize cyber portions of security cooperation plans. (T0826, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Oversee the development, implementation, and maintenance of the national bank's or Federal savings association's information security program, including assigning specific responsibility for its implementation and reviewing reports from management. (§ III. A. 2., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Designating one or more employees to coordinate the security program; (§ 646A.622(2)(d)(A)(i), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)