5.2.3 Staff shall have delineated roles, responsibilities, and authorizations related to implementing changes

From aptrust
Jump to: navigation, search


5.2.3 Staff shall have delineated roles, responsibilities, and authorizations related to implementing changes
Status Ready for review
Compliance Rating Fully compliant
Responsible Not assigned


The repository staff shall have delineated roles, responsibilities, and authorizations related to implementing changes within the system.

Supporting Text

This is necessary in order to ensure that individuals have the authority to implement changes, that adequate resources have been assigned for the effort, and that the responsible individuals will be accountable for implementing such changes.

Examples for Meeting the Requirement

Repository employs the codes of practice found in the ISO 27000 series of standards; organizational chart; system authorization documentation. Repository maintains ISO 17799 certification.

Discussion

Authorizations are about who can do what: who can add users, who has access to change metadata, who can access audit logs. It is important that authorizations are justified, that staff understand what they are authorized to do, that staff have required skills associated with various roles and authorizations, and that there is a consistent view of this across the organization.

Evidence Provided

The delineated roles and responsibilities have been documented in the Security section as well as the APTrust Staff section and section 3.2.1.

Additional threat models and mitigations are described on our Risk Management, Threats, and Mitigations page.