Back

Assign roles and responsibilities for physical security, as necessary.


CONTROL ID
13113
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define and assign workforce roles and responsibilities., CC ID: 13267

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Embed ownership and responsibility for IT-related risks within the business at an appropriate senior level. Define and assign roles critical for managing IT risks, including the specific responsibility for information security, physical security and compliance. Establish risk and security management… (PO4.8 Responsibility for Risk, Security and Compliance, CobiT, Version 4.1)
  • Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood. (9.1.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation to verify that descriptions of roles and responsibilities for performing activities in Requirement 9 are documented and assigned. (9.1.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel with responsibility for performing activities in Requirement 9 to verify that roles and responsibilities are assigned as documented and are understood. (9.1.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood. (9.1.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Roles and responsibilities for performing activities in Requirement 9 are documented, assigned, and understood. (9.1.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The individuals who fulfill the organization's physical and cybersecurity objectives (employees or outsourced) have been informed of their roles and responsibilities. (PR.AT-5.1, CRI Profile, v1.2)
  • Physical and information security personnel understand roles and responsibilities. (PR.AT-5, CRI Profile, v1.2)
  • The individuals who fulfill the organization's physical and cybersecurity objectives (employees or outsourced) have been informed of their roles and responsibilities. (PR.AT-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Responsibilities for implementing security and environmental controls. (App A Objective 14:1e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Responsibility for the physical location as well as the on-premise equipment and systems in entity-owned versus outsourced operating centers. (App A Objective 14:1a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Coordination of both information and physical security. (App A Objective 2.5.h, FFIEC Information Technology Examination Handbook - Information Security, September 2016)