Back

Define and assign workforce roles and responsibilities.


CONTROL ID
13267
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Human Resources management, CC ID: 00763

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain cybersecurity roles and responsibilities., CC ID: 13201
  • Assign roles and responsibilities for physical security, as necessary., CC ID: 13113
  • Define and assign roles and responsibilities for those involved in risk management., CC ID: 13660
  • Assign the roles and responsibilities for the change control program., CC ID: 13118
  • Identify and define all critical roles., CC ID: 00777
  • Define and assign the roles and responsibilities of security guards., CC ID: 12543
  • Define and assign roles and responsibilities for dispute resolution., CC ID: 13626
  • Define and assign the roles for Legal Support Workers., CC ID: 13711


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • All defined and documented responsibilities and accountabilities must be established and communicated to all relevant personnel and management. Some of the major ones include: (Critical components of information security 4) ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • APRA envisages that a regulated entity would establish a clear allocation of responsibilities for monitoring processes, with appropriate tools in place to enable timely detection. Access controls and segregation of duties would typically be used as a means to safeguard the integrity of the monitorin… (69., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Making sure that employees, service providers and suppliers understand their tasks, that they are aware of their responsibility with regard to information security and that the assets of the organisation are protected if the tasks are modified or completed. (Section 5.3 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • The employees and external business partners are informed of their duties. If necessary, they agree to or commit themselves contractually to promptly report all security events to a previously specified central body. Furthermore, information is provided that "incorrect notifications" of events which… (Section 5.13 SIM-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • When the actions result in changes to the environmental management system, related documented information and competence needs should be updated, as applicable, and the changes should be communicated to those who need to know. Management should ensure that corrective actions and actions to prevent p… (10.2 ¶ 7, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • Top management should ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. (§ 5.3.1 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization; (§ 5.3.3 ¶ 2 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. (§ 5.3 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • the allocation or reallocation of responsibilities and authorities. (§ 6.3 ¶ 2 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Special attention needs to be placed upon the roles and responsibilities of temporary or short-term staff such as locums, students, interns, etc. (§ 7.1.2 Health-specific control ¶ 2, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment by: - customizing and implementing all components of the framework; - issuing a statement or policy that establi… (§ 5.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • The governing body and top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. (§ 5.3.1 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Top management shall ensure that the responsibilities and authorities for relevant roles are assigned, communicated and understood within the organization. (5.3 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The governing body and top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization. (§ 5.3.1 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • assign responsibility for reporting (see 9.1.4) on the compliance management system to governing body and top management; (§ 5.3.1 ¶ 4 c), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • In an entity that has a single board of directors, the board delegates to management the authority to design and implement practices that support the achievement of strategy and business objectives. In turn, management defines roles and responsibilities for the overall entity and its operating units… (Authority and Responsibilities ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The human resource function helps promote competence by assisting management in developing job descriptions and roles and responsibilities, facilitating training, and evaluating individual performance for managing risk. Management considers the following factors when developing competence requiremen… (Establishing and Evaluating Competence ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Roles and responsibilities for internal dependency management are defined and assigned. (DM.ID-2, CRI Profile, v1.2)
  • Roles and responsibilities for internal dependency management are defined and assigned. (DM.ID-2.1, CRI Profile, v1.2)
  • Roles and responsibilities for the entire cybersecurity workforce and directly managed third-party personnel are established, well-defined and aligned with internal roles and responsibilities. (ID.AM-6.1, CRI Profile, v1.2)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The titles of the persons or offices responsible for receiving and processing requests for access by individuals. (§ 164.524(e)(2), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Review of denial requested. If the individual has requested a review of a denial under paragraph (a)(4) of this section, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must p… (§ 164.524(d)(4), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver of authorization must be ap… (§ 164.512(i)(2)(iv)(B), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Determine whether management assigned responsibilities for the AIO functions based on the complexity of the architecture needs and assess the effectiveness of the entity's separation of duties across the functions, particularly in situations where architecture responsibilities are combined with othe… (App A Objective 2:9, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Responsibilities within the AIO functions through defining those responsibilities and determining the effectiveness of the IT strategic planning process. (App A Objective 2:5b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Responsibilities. (App A Objective 2:10b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management identifies internal and external roles and responsibilities for AIO activities and implements processes to oversee those activities performed by third-party service providers. Assess whether management appropriately assigned and defined the responsibility and oversight o… (App A Objective 7:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Definition of duties, responsibilities, expectations, and accountability. (App A Objective 14:4b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Supervise and assign work to programmers, designers, technologists and technicians, and other engineering and scientific personnel. (T0337, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Roles and responsibilities for the workforce are established with respect to privacy. (GV.PO-P3, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Supervise and assign work to programmers, designers, technologists and technicians, and other engineering and scientific personnel. (T0337, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., TX-RAMP Security Controls Baseline Level 1)
  • Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., TX-RAMP Security Controls Baseline Level 2)