GV.PO-P3: Roles and responsibilities for the workforce are established with respect to privacy
CSF v1.1 References:
Description
[csf.tools Note: Subcategories do not have detailed descriptions.]
Related Controls
NIST Special Publication 800-53 Revision 5
AC-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] access control policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…
AT-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] awareness and training policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the…
AU-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] audit and accountability policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the…
CA-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] assessment, authorization, and monitoring policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…
CM-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] configuration management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…
CP-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] contingency planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…
CP-2: Contingency Plan
Develop a contingency plan for the system that: Identifies essential mission and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential mission and business functions despite a system disruption, compromise, or failure; Addresses eventual, full system restoration without deterioration…
IA-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] identification and authentication policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the…
IR-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] incident response policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…
MA-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] maintenance policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of…
MP-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] media protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…
PE-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] physical and environmental protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…
PL-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] planning policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of…
PM-1: Information Security Program Plan
Develop and disseminate an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and…
PM-2: Information Security Program Leadership Role
Appoint a senior agency information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
PM-3: Information Security and Privacy Resources
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and Make available…
PM-13: Security and Privacy Workforce
Establish a security and privacy workforce development and improvement program.
PM-18: Privacy Program Plan
Develop and disseminate an organization-wide privacy program plan that provides an overview of the agency’s privacy program, and: Includes a description of the structure of the privacy program and the resources dedicated to the privacy program; Provides an overview of the requirements for the privacy program and a description of the privacy program management controls…
PM-19: Privacy Program Leadership Role
Appoint a senior agency official for privacy with the authority, mission, accountability, and resources to coordinate, develop, and implement, applicable privacy requirements and manage privacy risks through the organization-wide privacy program.
PM-29: Risk Management Program Leadership Roles
Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.
PS-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…
PS-7: External Personnel Security
Establish personnel security requirements, including security roles and responsibilities for external providers; Require external providers to comply with personnel security policies and procedures established by the organization; Document personnel security requirements; Require external providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of external personnel who possess organizational credentials and/or…
PS-9: Position Descriptions
Incorporate security and privacy roles and responsibilities into organizational position descriptions.
PT-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] personally identifiable information processing and transparency policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures…
RA-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] risk assessment policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation…
SA-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] system and services acquisition policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…
SC-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] system and communications protection policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…
SI-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] system and information integrity policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…
SR-1: Policy and Procedures
Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]: [Assignment (one or more): organization-level, mission/business process-level, system-level] supply chain risk management policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate…
Cloud Controls Matrix v3.0.1
GRM-05: Management Support/Involvement
Executive and line management shall take formal action to support information security through clearly-documented direction and commitment, and shall ensure the action has been assigned.
HRS-10: User Responsibility
All personnel shall be made aware of their roles and responsibilities for: Maintaining awareness and compliance with established policies and procedures and applicable legal, statutory, or regulatory compliance obligations. Maintaining a safe and secure working environment
IAM-09: User Access Authorization
Provisioning user access (e.g., employees, contractors, customers (tenants), business partners, and/or supplier relationships) to data and organizationally-owned or managed (physical and virtual) applications, infrastructure systems, and network components shall be authorized by the organization’s management prior to access being granted and appropriately restricted as per established policies and procedures. Upon request, provider shall inform customer…
STA-05: Supply Chain Agreements
Supply chain agreements (e.g., SLAs) between providers and customers (tenants) shall incorporate at least the following mutually-agreed upon provisions and/or terms: Scope of business relationship and services offered (e.g., customer (tenant) data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities…
Critical Security Controls Version 8
15: Service Provider Management
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
17: Incident Response Management
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
NIST Special Publication 800-53 Revision 4
AC-1: Access Control Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the access control policy and associated access controls; and Reviews and updates the current: Access control policy [Assignment:…
AT-1: Security Awareness And Training Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls; and Reviews and…
AU-1: Audit And Accountability Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and Reviews and updates the current:…
CA-1: Security Assessment And Authorization Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls; and Reviews and…
CM-1: Configuration Management Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and Reviews and updates the current: Configuration management policy…
CP-1: Contingency Planning Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls; and Reviews and updates the current: Contingency planning policy…
CP-2: Contingency Plan
The organization: Develops a contingency plan for the information system that: Identifies essential missions and business functions and associated contingency requirements; Provides recovery objectives, restoration priorities, and metrics; Addresses contingency roles, responsibilities, assigned individuals with contact information; Addresses maintaining essential missions and business functions despite an information system disruption, compromise, or failure; Addresses eventual, full…
IA-1: Identification And Authentication Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the identification and authentication policy and associated identification and authentication controls; and Reviews and updates the current:…
IR-1: Incident Response Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the incident response policy and associated incident response controls; and Reviews and updates the current: Incident response policy…
MA-1: System Maintenance Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system maintenance policy and associated system maintenance controls; and Reviews and updates the current: System maintenance policy…
MP-1: Media Protection Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A media protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the media protection policy and associated media protection controls; and Reviews and updates the current: Media protection policy…
PE-1: Physical And Environmental Protection Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A physical and environmental protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the physical and environmental protection policy and associated physical and environmental protection controls; and Reviews and…
PL-1: Security Planning Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the security planning policy and associated security planning controls; and Reviews and updates the current: Security planning policy…
PM-1: Information Security Program Plan
The organization: Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; Includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational…
PM-2: Senior Information Security Officer
The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program.
PM-3: Information Security Resources
The organization: Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; Employs a business case/Exhibit 300/Exhibit 53 to record the resources required; and Ensures that information security resources are available for expenditure as planned.
PM-13: Information Security Workforce
The organization establishes an information security workforce development and improvement program.
PS-1: Personnel Security Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A personnel security policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the personnel security policy and associated personnel security controls; and Reviews and updates the current: Personnel security policy…
PS-7: Third-Party Personnel Security
The organization: Establishes personnel security requirements including security roles and responsibilities for third-party providers; Requires third-party providers to comply with personnel security policies and procedures established by the organization; Documents personnel security requirements; Requires third-party providers to notify [Assignment: organization-defined personnel or roles] of any personnel transfers or terminations of third-party personnel who possess organizational…
RA-1: Risk Assessment Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls; and Reviews and updates the current: Risk assessment policy…
SA-1: System And Services Acquisition Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and services acquisition policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls; and Reviews and…
SC-1: System And Communications Protection Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and Reviews and…
SI-1: System And Information Integrity Policy And Procedures
The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the system and information integrity policy and associated system and information integrity controls; and Reviews and…
Critical Security Controls Version 7.1
19: Incident Response and Management
Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.