This Control has the following implementation support Control(s):
Categorize the gender of all employees., CC ID: 15609
Categorize all employees by racial groups and ethnic groups., CC ID: 15627
Establish, implement, and maintain a succession plan for organizational leaders and support personnel., CC ID: 11822
Establish and maintain Personnel Files for all employees., CC ID: 12438
Establish, implement, and maintain onboarding procedures for new hires., CC ID: 11760
Establish, implement, and maintain a personnel security program., CC ID: 10628
Establish, implement, and maintain personnel status change and termination procedures., CC ID: 06549
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Human resources and physical facilities required for carrying on the business; (Article 53(1)(3), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
The personal suitability of potential employees is verified by means of simple methods (e.g. job interview). (2.1.1 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
work force; (§ 8.1.3 ¶ 1 a) Bullet 5, ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
Hiring policies (¶ 2.140(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (Section 4.D ¶ 1(2)(b), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. (§ 164.308(a)(3)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Personnel controls (e.g., hiring and retention practices, maintaining appropriate skillsets and knowledge, and activity monitoring processes) to maintain an effective workforce. (VI.A Action Summary ¶ 2 Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Identify and manage the data, personnel, devices, systems, and facilities that enable you to achieve business purposes in accordance with their relative importance to business objectives and your risk strategy; (§ 314.4 ¶ 1(c)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
Establish, resource, implement, and assess cyber workforce management programs in accordance with organizational requirements. (T0376, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Establish, resource, implement, and assess cyber workforce management programs in accordance with organizational requirements. (T0376, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Cybersecurity is included in human resources practices (GV.RR-04, The NIST Cybersecurity Framework, v2.0)
DEVELOP A NATIONAL STRATEGY TO STRENGTHEN OUR CYBER WORKFORCE (STRATEGIC OBJECTIVE 4.6, National Cybersecurity Strategy)
DEVELOP A NATIONAL STRATEGY TO STRENGTHEN OUR CYBER WORKFORCE (STRATEGIC OBJECTIVE 4.6, National Cybersecurity Strategy (Condensed))
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the risk strategy of the licensee. (Section 27-62-4(d)(2) b., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
Identification and management of the data, personnel, devices, systems and facilities that enable such licensee to achieve such licensee's business purposes in accordance with their relative importance to such licensee's business objectives and risk strategy; (Part VI(c)(4)(B)(ii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§ 8604.(d)(2) b., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes in accordance with their relative importance to business objectives and the licensee's risk strategy; (§431:3B-203(2)(B), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
Identifying and managing the data, personnel, devices, systems, and facilities that enable the licensee to achieve business purposes in accordance with their relative importance to business objectives and risk strategy. (Sec. 18.(2)(B), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve its business purposes in accordance with the data, personnel, devices, systems, and facilities relative importance to the licenseeâs business objectives and risk strategy. (507F.4 4.b.(2), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§2504.D.(2)(b), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
Identify and manage the data, personnel, devices, systems and facilities that enable the licensee to achieve its business purposes in accordance with their relative importance to business objectives and the licensee's risk management strategy; (§2264 4.B.(2), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
Identifying and managing the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (Sec. 555.(4)(b)(ii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (§ 60A.9851 Subdivision 4(2)(ii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
Identify and manage the data, personnel, devices, systems and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organizationâs risk strategy; (§ 83-5-807 (4)(b)(ii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy. (§ 420-P:4 IV.(b)(2), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with the business' relative importance to business objectives and the organization's risk strategy; (26.1-02.2-03. 4.b.(2), North Dakota Century Code, Title 26.1, Chapter 26.1â02.2, Sections 1-11, Insurance Data Security)
Identify and manage the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (Section 3965.02 (D)(2)(b), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
identifying and managing the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes in accordance with their relative importance to business objectives and the organization's risk strategy; (SECTION 38-99-20. (D)(2)(b), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve the licensee's business objectives in accordance with the relative importance of the data, personnel, devices, systems, and facilities to the licensee's business objectives and risk strategy… (§ 56-2-1004 (4)(B)(ii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
Identify and manage the data, personnel, devices, systems, and facilities that enable the licensee to achieve its business purposes, taking into consideration the relative importance of the data, personnel, devices, systems, and facilities to the business objectives and risk strategy of the licensee… (§ 601.952(3)(b)2., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
