5.2.3 Staff shall have delineated roles, responsibilities, and authorizations related to implementing changes
|5.2.3 Staff shall have delineated roles, responsibilities, and authorizations related to implementing changes|
|Status||Ready for review|
|Compliance Rating||Fully compliant|
The repository staff shall have delineated roles, responsibilities, and authorizations related to implementing changes within the system.
This is necessary in order to ensure that individuals have the authority to implement changes, that adequate resources have been assigned for the effort, and that the responsible individuals will be accountable for implementing such changes.
Examples for Meeting the Requirement
Repository employs the codes of practice found in the ISO 27000 series of standards; organizational chart; system authorization documentation. Repository maintains ISO 17799 certification.
Authorizations are about who can do what: who can add users, who has access to change metadata, who can access audit logs. It is important that authorizations are justified, that staff understand what they are authorized to do, that staff have required skills associated with various roles and authorizations, and that there is a consistent view of this across the organization.
Additional threat models and mitigations are described on our Risk Management, Threats, and Mitigations page.