Back

Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary.


CONTROL ID
00676
CONTROL TYPE
Actionable Reports or Measurements
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Standard § I.2(5).4: The organization must develop a method for reporting information to the appropriate personnel, according to the degree and nature of the identified control deficiencies. These methods should include procedures for reporting to management, the Board of Directors, corporate audit… (Standard § I.2(5).4, Standard § III.3(5), Practice Standard § I.2(5)[3], Practice Standard § I.5(1), Practice Standard § II.3(4)[4], Practice Standard § III.4(3)[1], Practice Standard § III.4(4), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The organization should make provisions for analyzing and reporting on unauthorized access based on the audit trails. For systems that handle personal data, this is a requirement. (T37.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Management of performance of information security by measuring, monitoring and reporting information security governance metrics to ensure that organizational objectives are achieved (Information Security Governance ¶ 2 Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Information collected as part of security reporting arrangements should include details about all aspects of information risk like criticality of information, identified vulnerabilities and level of threats, potential business impacts and the status of security controls in place. Information about t… (Critical components of information security 22) iv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Reports on the monitoring and control activities of the institution should be reviewed by its senior management and provided to the board for information. The institution should ensure that monitoring metrics and performance data are not aggregated with those belonging to other customers of the serv… (5.8.2 (e), Guidelines on Outsourcing)
  • System owners report the security status of each system to its authorising officer at least annually. (Security Control: 1587; Revision: 0, Australian Government Information Security Manual, March 2021)
  • System owners report the security status of each system to its authorising officer at least annually. (Control: ISM-1587; Revision: 0, Australian Government Information Security Manual, June 2023)
  • System owners report the security status of each system to its authorising officer at least annually. (Control: ISM-1587; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Providers of high-risk AI systems which consider or have reason to consider that a high-risk AI system which they have placed on the market or put into service is not in conformity with this Regulation shall immediately take the necessary corrective actions to bring that system into conformity, to w… (Article 21 ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Where the high-risk AI system presents a risk within the meaning of Article 65(1) and that risk is known to the provider of the system, that provider shall immediately inform the national competent authorities of the Member States in which it made the system available and, where applicable, the noti… (Article 22 ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • A distributor that considers or has reason to consider that a high-risk AI system which it has made available on the market is not in conformity with the requirements set out in Chapter 2 of this Title shall take the corrective actions necessary to bring that system into conformity with those requir… (Article 27 4., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the mechanisms within the group of undertakings, or group of enterprises engaged in a joint economic activity for ensuring the verification of compliance with the binding corporate rules. Such mechanisms shall include data protection audits and methods for ensuring corrective actions to protect the … (Art. 47.2.(j), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • The management must ensure it is kept up-to-date about problems, the results of reviews and audits, but also the latest developments, altered framework conditions, or opportunities for improvement at regular intervals so that it can fulfil its management function. In order for the management level t… (§ 4.2 Bullet 1 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Inform management level of the results of checks and the status of the information security process (§ 5.2.4 Subsection 2 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Certain types of onsite audit create may an unmanageable risk for the environment of the provider or its other clients, for example, by impacting service levels or the confidentiality, integrity, and availability of data. In such cases, the firm and the service provider may agree alternative ways to… (§ 8.12, SS2/21 Outsourcing and third party risk management, March 2021)
  • The organization must submit a brief report to the organizational head that summarizes any additional protective measures that were implemented after an increase in the government response level; provide explicit assurance statements on counter-terrorist protective security; and report test results … (Mandatory Requirement 69, HMG Security Policy Framework, Version 6.0 May 2011)
  • (¶ 2.2, Smith Guidance on Audit Committees, UK FRC, January 2003)
  • (¶ 25, ¶ 26, Turnbull Guidance on Internal Control, UK FRC, October 2005)
  • Instances of noncompliance with objectives related to privacy are documented and reported and, if needed, corrective and disciplinary measures are taken on a timely basis. (M9.1 Documents and reports instances of noncompliance, Privacy Management Framework, Updated March 1, 2020)
  • Reports should be regularly submitted to the Board of Directors and senior management to provide them with pertinent information they need to manage risk. (Principle 5, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • Executive e-summaries are to be produced for the Board on a monthly basis, or if not monthly, then frequently. (§ I.24, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are executive level e-risk summaries produced for the Chief Executive Officer, Chief Technology Officer, Chief Financial Officer, and Board of Directors? (Table Row I.24, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Firstly, EO 14086 requires each intelligence agency to have senior-level legal, oversight and compliance officials to ensure compliance with applicable U.S. law. In particular, they must conduct periodic oversight of signals intelligence activities and ensure that any non-compliance is remedied. Int… (3.2.2 (162), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least annually (A3.1.1 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Providing updates to executive management and board of directors on PCI DSS compliance initiatives and issues, including remediation activities, at least once every 12 months. (A3.1.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Defining a charter for a PCI DSS compliance program and communication to executive management. (12.4.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Defining a charter for a PCI DSS compliance program and communication to executive management. (12.4.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The overall control issues should be understood by the Chief Audit Executive and he/she should communicate them in an understandable form and a manner that results in an appropriate response to senior management and the appropriate committees of the Board of Directors. (§ 10.3 ¶ 9, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Management and the Board of Directors need to periodically receive risk management process reports. The corporate governance processes should periodically communicate risks, risk strategies, and controls to the stakeholders. (§ 5.1.1 ¶ 2, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • Details about the security profile shall be reported to the corporate information security function. (CF.12.01.07f, The Standard of Good Practice for Information Security)
  • The results of monitoring activities should be presented to the business owners to whom services are provided. (CF.10.05.09-2, The Standard of Good Practice for Information Security)
  • Information about the security condition of the organization should be provided to key decision-makers (including executive management, members of the organization's high-level working group (or equivalent) and relevant external bodies). (SI.02.01.05, The Standard of Good Practice for Information Security)
  • Security monitoring arrangements should provide key decision-makers with an informed view of the effectiveness and efficiency of Information Security controls. (SI.02.01.06a, The Standard of Good Practice for Information Security)
  • Results from a forensic investigation should be reported to relevant management (e.g., executive management and heads of business units / departments) and appropriate legal / regulatory bodies. (CF.11.04.09, The Standard of Good Practice for Information Security)
  • Details about the security profile shall be reported to the corporate information security function. (CF.12.01.07f, The Standard of Good Practice for Information Security, 2013)
  • The results of monitoring activities should be presented to the business owners to whom services are provided. (CF.10.05.09-2, The Standard of Good Practice for Information Security, 2013)
  • Information about the security condition of the organization should be provided to key decision-makers (including executive management, members of the organization's high-level working group (or equivalent) and relevant external bodies). (SI.02.01.05, The Standard of Good Practice for Information Security, 2013)
  • Security monitoring arrangements should provide key decision-makers with an informed view of the effectiveness and efficiency of Information Security controls. (SI.02.01.06a, The Standard of Good Practice for Information Security, 2013)
  • Results from a forensic investigation should be reported to relevant management (e.g., executive management and heads of business units / departments) and appropriate legal / regulatory bodies. (CF.11.04.09, The Standard of Good Practice for Information Security, 2013)
  • The organization shall establish a process for reporting significant findings to the medical Information Technology network risk manager and other appropriate personnel. (§ 4.6.2 ¶ 1(d), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • Communication between and among the levels and functions within an organization is crucial to the effectiveness of the environmental management system. For example, communication is important for problem solving, coordination of activities, follow up on action plans, and further development of the e… (7.4.2 ¶ 1, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • Where a failure or potential failure to fulfil a compliance obligation is identified, the organization should take action. The organization's nonconformity and corrective action process (see 10.2) could be used to deal with needed corrections. Where appropriate and as required, the organization shou… (9.1.2 ¶ 8, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • By evaluating compliance, the organization gains knowledge and understanding of its compliance status. The frequency of compliance evaluations should be appropriate to keep this knowledge and understanding up to date. Evaluations should be conducted in a manner that provides timely input to the mana… (9.1.2 ¶ 10, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization shall document and communicate the measurement results to the appropriate users. (§ 6.3.7.3(b)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Compliance should be overseen by a qualified individual that reports independently to senior management. (§ 5.1 ¶ 5, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • During the audit, the audit team leader should periodically communicate the progress, any significant findings and any concerns to the auditee and audit client, as appropriate. Evidence collected during the audit that suggests an immediate and significant risk should be reported without delay to the… (§ 6.4.4 ¶ 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • reporting on the performance of the compliance management system to the governing body and top management. (§ 5.3.1 ¶ 2 b), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • assessment and reporting (including management supervision) to ensure that employees comply with procedures; (§ 8.2 ¶ 5 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The governing body, management and the compliance function should ensure that they are effectively informed on the performance of the organization's compliance management system and of its continuing adequacy, including all relevant noncompliances, in a timely manner and actively promote the princip… (§ 9.1.7 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • timelines for regular reporting are established; (§ 9.1.7 ¶ 1 b), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • its assessment of the governance outcomes achieved. (§ 5 ¶ 7 Bullet 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; (§ 6.4.3.3 ¶ 2 Bullet 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • direct reports by, and private sessions with, risk management and compliance management as independent control functions; (§ 6.4.3.3 ¶ 2 Bullet 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that they are informed in a timely manner about compliance matters, including instances of noncompliance, and ensure that appropriate action is taken; (§ 5.1.1 ¶ 2 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensure that they are informed in a timely manner on compliance matters, including on instances of noncompliance and ensure that appropriate action is taken; (§ 5.1.1 ¶ 2 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. (TASK M-5, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the status of cybersecurity within the organization. (GV.RR-2.3, CRI Profile, v1.2)
  • The organization develops, implements, and reports to management and the appropriate governing body (e.g., the Board or one of its committees) key cybersecurity performance indicators and metrics based on the cyber risk strategy and framework to measure, monitor, and report actionable indicators to … (GV.SP-2.2, CRI Profile, v1.2)
  • Cybersecurity performance is measured and regularly reported to senior executives and the Board or an appropriate governing body. (GV.SP-2, CRI Profile, v1.2)
  • The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the status of cybersecurity within the organization. (GV.RR-2.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization develops, implements, and reports to management and the appropriate governing body (e.g., the Board or one of its committees) key cybersecurity performance indicators and metrics based on the cyber risk strategy and framework to measure, monitor, and report actionable indicators to … (GV.SP-2.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Components shall provide the capability to perform or support integrity checks on software, configuration and other information as well as the recording and reporting of the results of these checks or be integrated into a system that can perform or support integrity checks. (7.6.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Components shall provide the capability to perform or support authenticity checks on software, configuration and other information as well as the recording and reporting of the results of these checks or be integrated into a system that can perform or support authenticity checks. (7.6.3 (1) ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should report the quarterly review results to the privacy steering committee quarterly and to the audit committee annually. (Table Ref 1.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should define, track, and report key metrics to senior management on a quarterly basis. (Table Ref 1.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should periodically report to management the results of the security testing. (Table Ref 8.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Incidents of noncompliance with laws and regulations, fraud, or uncorrected misstatements that are clearly not trivial and that may affect one or more user entities and whether such incidents have been communicated appropriately to affected user entities (¶ 2.32 Bullet 8 Sub-Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Knowledge of any actual, suspected, or alleged fraud or noncompliance with laws and regulations affecting the description, suitability of design of controls, or, in a type 2 examination, operating effectiveness of controls (¶ 2.32 Bullet 8 Sub-Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Ensure that the organization's staff is properly reporting the Identity Theft Prevention Program's compliance to the appropriate personnel in the appropriate way. (§ VIII., FTC FACT Act Red Flags Rule Template, July 1, 2009)
  • Each Member firm should establish and implement a governance framework that supports informed decision making and escalation within the firm to identify and manage information security risks. In implementing an ISSP, each Member must adopt and enforce a written ISSP reasonably designed to provide sa… (Information Security Program Bullet 1 Written Program ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • When a web site is supported that has access to scoped systems and data, are the vulnerability scan results reported to management? (§ I.5.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is hosted that has access to scoped systems and data, are the vulnerability scan results reported to management? (§ I.5.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is maintained that has access to scoped systems and data, are the vulnerability scan results reported to management? (§ I.5.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Report to the Board. Each bank holding company shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the bank holding company's compliance with these Guidelines. The reports should … (§ III.F, 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Submit a report of the SCI review required by paragraph (b)(1) of this section to senior management of the SCI entity for review no more than 30 calendar days after completion of such SCI review; and (§242.1003(b)(2), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Submit to the Commission, and to the board of directors of the SCI entity or the equivalent of such board, a report of the SCI review required by paragraph (b)(1) of this section, together with any response by senior management, within 60 calendar days after its submission to senior management of th… (§242.1003(b)(3), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • In general. Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on … (Appendix A-VI. (b)(1), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • Senior management should be kept abreast of compliance efforts, audit reports, compliance deficiencies, and corrective actions. (Pg 5, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • The Chief Information Officer, in coordination with other senior agency officials, must report annually on the effectiveness of the information security program, including the status of remedial actions, to the agency head. (§ 3544(a)(5), Federal Information Security Management Act of 2002, Deprecated)
  • requiring an attorney to report evidence of a material violation of securities law or breach of fiduciary duty or similar violation by the company or any agent thereof, to the chief legal counsel or the chief executive officer of the company (or the equivalent thereof); and (§ 307 ¶ 1(1), The Sarbanes-Oxley Act of 2002 (SOX), July 30, 2002.)
  • Continuous monitoring requirements for DoD are the same as those for FedRAMP, except that all reports and artifacts for FedRAMP+ C/CEs will be provided directly to DISA AO representatives as the DoD single point of CSP contact for this information. DISA will share appropriate continuous monitoring i… (Section 5.3.1.1 ¶ 2, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Figure 6 shows the flow of continuous monitoring information for DoD private/community CSOs that have a DoD PA and ATO, but are not in the FedRAMP catalog. Continuous monitoring will be directed by the DoD RMF, rather than the FedRAMP Continuous Monitoring Strategy Guide. As part of the RMF authoriz… (Section 5.3.1.2 ¶ 1, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Management shall designate an individual to review and analyze the audit records for indications of unusual activity or inappropriate activity, investigate violations, report findings to appropriate officials, and take the necessary corrective actions. (§ 5.4.3, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Identified issues. (IX Action Summary ¶ 2 Bullet 6, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Processes for reporting KPIs to the board. (VI.D Action Summary ¶ 2 Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implementation of processes to monitor and report on control effectiveness. (VI.D Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management reports to the board periodically on the status of AIO initiatives, progress, issues, and metrics. (App A Objective 2:13a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Board regularly receives reports on AIO functions and activities from management. (II.A Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Methods to track and report on nonconformance to entity policies and the timeliness and remediation progress of all identified vulnerabilities, including those related to security procedures, physical layout, or internal controls. (App A Objective 15:3a Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Regularly reviews KPI reports and provides appropriate reporting up to the board. (App A Objective 17:2e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The operations team reports performance metrics to senior management and other stakeholders. (App A Objective 17:1b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management implements processes to monitor IT operations and periodically reports on the effectiveness of established controls to senior management and other stakeholders. Evaluate the following: (App A Objective 17:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Receives regular reports regarding operations. (App A Objective 2:3 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The auditors should report to the Board of Directors, as necessary, on material weaknesses. (Pg 6, FFIEC IT Examination Handbook - Audit, August 2003)
  • The audit function should verify that the controls operate effectively. The audit function should report to the Board of Directors. (Pg 10, FFIEC IT Examination Handbook - Management)
  • Whether risk assessment and compliance status are communicated to senior management and the board of directors. (App A Tier 1 Objectives and Procedures Objective 11:1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine if the board and senior management develop and support adequate user access procedures and controls for funds transfer requests. Assess whether the institution: ▪ Maintains a current list of employees approved to initiate funds transfer requests. ▪ Has developed and approved an organiz… (Exam Tier II Obj 1.3, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The overall status of the information security program and your compliance with this part; and (§ 314.4 ¶ 1(i)(1), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Staff members of the financial institution or creditor who are responsible for developing, implementing, and administering the Identity Theft Prevention Program should report on whether or not the organization is in compliance with section 41.90 of this part to the Board of Directors, an appropriate… (App J to Part 41.VI(b), App J to Part 222.VI(b), App J to Part 334.VI(b), App J to Part 571.VI(b), App A to Part 681.VI(b), App J to Part 717.VI(b), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007)
  • Calls for keeping the organization informed about problems and deficiencies, including the progress of corrective actions. (§ 260.50(3), GAO/PCIE Financial Audit Manual (FAM))
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [FedRAMP Assignment: to meet Federal and FedRAMP requirements]. (CA-7g. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [FedRAMP Assignment: to meet Federal and FedRAMP requirements]. (CA-7g. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [FedRAMP Assignment: to meet Federal and FedRAMP requirements]. (CA-7g. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reporting the security and privacy status of the system to [FedRAMP Assignment: to include JAB/AO] [Assignment: organization-defined frequency]. (CA-7g., FedRAMP Security Controls High Baseline, Version 5)
  • Reporting the security and privacy status of the system to [FedRAMP Assignment: to include JAB/AO] [Assignment: organization-defined frequency]. (CA-7g., FedRAMP Security Controls Low Baseline, Version 5)
  • Reporting the security and privacy status of the system to [FedRAMP Assignment: to include JAB/AO] [Assignment: organization-defined frequency]. (CA-7g., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Report to the Board. Each credit union should report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the credit union's compliance with these guidelines. The report should discuss material… (§ 748 Appendix A. III.F., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Does management report the overall status of the information security program and compliance with part 748 appendix a and appendix b to the Board of Directors at least annually? (IT - 748 Compliance Q 12, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the penetration testing firm provide an executive summary report? (IT - Pen Test Review Q 4a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the penetration testing firm provide a technical manager's report? (IT - Pen Test Review Q 4b, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the penetration testing firm provide a technical details report? (IT - Pen Test Review Q 4c, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (PM-31f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Enterprises typically rely on information security measures to facilitate decision-making and improve performance and accountability in their information security programs. Enterprises can achieve similar benefits within their C-SCRM programs. Additionally, enterprises should report C-SCRM metrics t… (3.5.1. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (PM-31f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (PM-31f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (PM-31f., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization develops, monitors, and reports on the results of information security measures of performance. (PM-6 Control:, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The results from each periodic audit should be expressed in the form of performance against a set of predefined and appropriate metrics to display security performance and security trends. Security performance metrics should be sent to the appropriate stakeholders, along with a view of security perf… (§ 6.2.3 ICS-specific Recommendations and Guidance ¶ 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Report the security status of a system (including the effectiveness of security controls) to an authorizing official on an ongoing basis in accordance with the monitoring strategy. (T0964, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide information and assessments for the purposes of informing leadership and customers; developing and refining objectives; supporting operation planning and execution; and assessing the effects of operations. (T0786, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must provide the security requirement assessment results to management. (SG.CA-2 Requirement 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must establish a continuous monitoring strategy and program, including reporting to management the status of the security state of the system on a defined frequency. (SG.CA-6 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must provide, in writing, the security control assessment results to the Authorizing Official or designated representative. (App F § CA-2.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish a continuous monitoring strategy and implement a continuous monitoring program that includes reporting on the security state of the system to appropriate organization officials on a predetermined frequency. (App F § CA-7.d, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should report the Security Function verification results to designated officials who have Information Security responsibilities. (App F § SI-6(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Provide information and assessments for the purposes of informing leadership and customers; developing and refining objectives; supporting operation planning and execution; and assessing the effects of operations. (T0786, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Report the security status of a system (including the effectiveness of security controls) to an authorizing official on an ongoing basis in accordance with the monitoring strategy. (T0964, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization reports atypical usage of information system accounts to {organizationally documented personnel}. (AC-2(12)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reports atypical usage of information system accounts to {organizationally documented roles}. (AC-2(12)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides the results of the security control assessment to {organizationally documented individuals}. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides the results of the security control assessment to {organizationally documented roles}. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reports the results of security function verification to {organizationally documented personnel}. (SI-6(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reports the results of security function verification to {organizationally documented roles}. (SI-6(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reports atypical usage of information system accounts to {organizationally documented personnel}. (AC-2(12)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reports atypical usage of information system accounts to {organizationally documented roles}. (AC-2(12)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides the results of the security control assessment to {organizationally documented individuals}. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides the results of the security control assessment to {organizationally documented roles}. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides the results of the security control assessment to {organizationally documented individuals}. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides the results of the security control assessment to {organizationally documented roles}. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides the results of the security control assessment to {organizationally documented individuals}. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization provides the results of the security control assessment to {organizationally documented roles}. (CA-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization reports the results of security function verification to [Assignment: organization-defined personnel or roles]. (SI-6(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization develops, monitors, and reports on the results of information security measures of performance. (PM-6 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (PM-31f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Report the results of security and privacy function verification to [Assignment: organization-defined personnel or roles]. (SI-6(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7g., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Reporting the security and privacy status of organizational systems to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (PM-31f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Report the results of security and privacy function verification to [Assignment: organization-defined personnel or roles]. (SI-6(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. (CA-7h., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Report to the Board. Each national bank or Federal savings association shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the national bank's or Federal savings association's com… (§ III. F., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • Senior management should present the due diligence results on the selection process to the Board of Directors when the third party relationship involves critical activities. ("Due Diligence and Third-Party Selection" ¶ 4, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The board of directors must review the ongoing monitoring results of third party relationships that involve critical activities. ("Board of Directors" Bullet 6, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management must analyze the independent review results, take appropriate actions, and report the results to the Board of Directors. ("Senior Bank Management" Bullet 8, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Employees who directly manage third party relationships must escalate significant issues to senior management. ("Bank Employees Who Directly Manage Third-Party Relationships" Bullet 5, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Proper documentation and reporting of the third party Risk Management process typically includes regular reports on the internal control testing and ongoing monitoring of third parties to senior management and the Board of Directors. ("Documentation and Reporting" Bullet 7, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Reporting the security status of organization and the information system to [TX-RAMP Assignment: To meet TX-RAMP requirements]. (CA-7g., TX-RAMP Security Controls Baseline Level 1)
  • Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [TX-RAMP Assignment: To meet TX-RAMP requirements]. (CA-7g., TX-RAMP Security Controls Baseline Level 2)