Back

Establish and maintain a compliance oversight committee.


CONTROL ID
00765
CONTROL TYPE
Establish Roles
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define the Information Assurance strategic roles and responsibilities., CC ID: 00608

This Control has the following implementation support Control(s):
  • Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report., CC ID: 01151
  • Include recommendations for changes or updates to the information security program in the Board Report., CC ID: 13180
  • Provide critical project reports to the compliance oversight committee in a timely manner., CC ID: 01183
  • Assign the review of project plans for critical projects to the compliance oversight committee., CC ID: 01182
  • Assign the corporate governance of Information Technology to the compliance oversight committee., CC ID: 01178
  • Assign the review of Information Technology policies and procedures to the compliance oversight committee., CC ID: 01179
  • Involve the Board of Directors or senior management in Information Governance., CC ID: 00609
  • Address Information Security during the business planning processes., CC ID: 06495
  • Assign reviewing and approving Quality Management standards to the appropriate oversight committee., CC ID: 07192


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Board committees should have a written scope of authority and reporting procedures. Formal procedures should be developed to describe the functions of the Board that are being delegated and the duties and responsibilities of the committees. Board committees should be chaired by independent, non-exec… (¶ 2.7.2, ¶ 2.7.3, ¶ 2.7.7, ¶ 3.1.6, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • It is recommended that AIs establish an IT planning or steering committee which oversees whether IT resources are used effectively to support business strategies. This committee should normally consist of representatives of senior management, key business units and IT functions. It should meet regul… (2.2.3, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • App 2-1 Item Number I.2.1(1): Top management must establish a computerization committee; the missions of the computerization committee must be made clear and the appropriate authorities and responsibilities must be allocated based on the overall optimization plan. This is a control item that constit… (App 2-1 Item Number I.2.1(1) thru App 2-1 Item Number I.2.1(5), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The FI should establish a steering committee, consisting of business owners, the development team and other stakeholders to provide oversight and monitoring of the progress of the project, including deliverables to be realised at each phase of the project and milestones to be reached according to th… (§ 6.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • For large and complex projects that impact the business, a project steering committee consisting of key stakeholders, including business owners and IT, should be formed to provide direction, guidance and oversight to ensure milestones are reached, and deliverables are realised in a timely manner. (§ 5.2.1, Technology Risk Management Guidelines, January 2021)
  • meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; (4.6 39(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. (4.6 36(f), Final Report on EBA Guidelines on outsourcing arrangements)
  • In accepting responsibility by management, the management initiates the Information Security process inside the organization. (3.1 Bullet 3, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • The Supervisory Board must form committees with specialized experience to help with handling complex issues and to improve the efficiency of the Board. The chairperson of each committee must report to the Supervisory Board on their work on a regular basis. The Supervisory Board can delegate responsi… (¶ 5.3.1, ¶ 5.3.4, German Corporate Governance Code ("The Code"), June 6, 2008)
  • The Board of Directors may set up special committees to aid the Board in specific areas. The formal work plan must specify what decision-making authority and tasks the committee has been delegated. (¶ III.3.5.2, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • The Supervisory Board must develop the roles and responsibilities of each committee and determine the number of members and how they perform their duties. All members, with the exception of at most 1 member, must be independent. Each committee must make reports of their discussions and findings to t… (¶ III.5.1, ¶ III.5.3, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • The Board should ensure all committees have the necessary resources to carry out their duties. (§ A.5.2, Financial Reporting Council, Combined Code on Corporate Governance, June 2008)
  • (§ 4.1.1.2, OGC ITIL: Security Management)
  • The entity has an overall governance and legal structure that defines and establishes responsibility and authority for the entity's oversight processes, policy setting and ongoing monitoring activities. (M1.2 Responsibility and authority, Privacy Management Framework, Updated March 1, 2020)
  • The entity has a governance and legal structure that establishes accountability for information privacy policy creation, oversight, monitoring and compliance. (M1.2 Established accountability, Privacy Management Framework, Updated March 1, 2020)
  • When the Board forms a committee, the Board should ensure the composition and work procedures are well defined and disseminated to the committee members. (§ VI.E, OECD Principles of Corporate Governance, 2004)
  • Firstly, EO 14086 requires each intelligence agency to have senior-level legal, oversight and compliance officials to ensure compliance with applicable U.S. law. In particular, they must conduct periodic oversight of signals intelligence activities and ensure that any non-compliance is remedied. Int… (3.2.2 (162), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Establish an IT steering committee (or equivalent) composed of executive, business and IT management to: - Determine prioritisation of IT-enabled investment programmes in line with the enterprise's business strategy and priorities - Track status of projects and resolve resource conflict - Monitor se… (PO4.3 IT Steering Committee, CobiT, Version 4.1)
  • Examine documentation to verify executive management has assigned overall accountability for maintaining the entity's PCI DSS compliance. (A3.1.1.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations (§ 3 Principle 2 Points of Focus: Establishes Oversight Responsibility, COSO Internal Control - Integrated Framework (2013))
  • The board of directors retains oversight responsibility for management’s design, implementation, and conduct of internal control: – Control Environment — Establishing integrity and ethical values, oversight structures, authority and responsibility, expectations of competence, and accountabilit… (§ 3 Principle 2 Points of Focus: Provides Oversight for the System of Internal Controls, COSO Internal Control - Integrated Framework (2013))
  • An adequate management framework should be in place to support the continuity testing program. Some suggested roles are a Business Continuity Steering Group that oversees the entire business continuity function and is made up of senior members of all business areas; an IT Rehearsal Working Group tha… (§ 9.6 ¶ 2(c), § 9.6 ¶ 2(d), § 9.6 ¶ 2(e), § 9.6 ¶ 3, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The most common committees established by the Board of Directors include audit, governance, and compensation. Some additional committees include finance or risk management. The audit committee's role involves the oversight of financial issues, risk management, ethics, and internal control assessment… (§ 7.1, § 7.1.1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • If the organization does not maintain an incident reporting database, it may form an asset protection committee. This committee should be made up of personnel from each of the organization's departments. They should determine what incidents should be reported, determine what assets are vulnerable, a… (Revised Volume 1 Pg 2-II-21, Revised Volume 1 Pg 2-II-22, Protection of Assets Manual, ASIS International)
  • A high-level working group, committee, or equivalent body should be established, which coordinates Information Security activity across the organization. (SG.01.02.04a, The Standard of Good Practice for Information Security)
  • A high-level working group, committee, or equivalent body should be established, which is chaired by a member of the governing body (i.e., a board level executive or equivalent). (SG.01.02.04b, The Standard of Good Practice for Information Security)
  • Membership of the high-level working group, committee, or equivalent body should include the Chief Information Security Officer. (SG.01.02.05a, The Standard of Good Practice for Information Security)
  • Membership of the high-level working group, committee, or equivalent body should include representatives of specialist functions (e.g., legal, operational risk, internal audit, Human Resources, and physical security). (SG.01.02.05c, The Standard of Good Practice for Information Security)
  • Membership of the high-level working group, committee, or equivalent body should include the head of Information Technology (or equivalent). (SG.01.02.05d, The Standard of Good Practice for Information Security)
  • Membership of the high-level working group, committee, or equivalent body should include one or more business owners (i.e., people in charge of particular business applications or business processes). (SG.01.02.05b, The Standard of Good Practice for Information Security)
  • A committee should be established to be responsible for managing information privacy issues. (SR.02.02.01-1, The Standard of Good Practice for Information Security)
  • An organization-wide group of information protection champions should be established (supported by mailing lists, regular teleconference calls, and meetings) to help them understand common security challenges. (CF.12.02.06a, The Standard of Good Practice for Information Security)
  • The high-level working group should be aware of privacy-related legislation and regulation with which the organization needs to comply. (SR.02.02.02a, The Standard of Good Practice for Information Security)
  • A high-level working group, committee, or equivalent body should be established, which coordinates Information Security activity across the organization. (SG.01.02.04a, The Standard of Good Practice for Information Security, 2013)
  • A high-level working group, committee, or equivalent body should be established, which is chaired by a member of the governing body (i.e., a board level executive or equivalent). (SG.01.02.04b, The Standard of Good Practice for Information Security, 2013)
  • Membership of the high-level working group, committee, or equivalent body should include the Chief Information Security Officer. (SG.01.02.05a, The Standard of Good Practice for Information Security, 2013)
  • Membership of the high-level working group, committee, or equivalent body should include representatives of specialist functions (e.g., legal, operational risk, internal audit, Human Resources, and physical security). (SG.01.02.05c, The Standard of Good Practice for Information Security, 2013)
  • Membership of the high-level working group, committee, or equivalent body should include the head of Information Technology (or equivalent). (SG.01.02.05d, The Standard of Good Practice for Information Security, 2013)
  • Membership of the high-level working group, committee, or equivalent body should include one or more business owners (i.e., people in charge of particular business applications or business processes). (SG.01.02.05b, The Standard of Good Practice for Information Security, 2013)
  • A committee should be established to be responsible for managing information privacy issues. (SR.02.02.01-1, The Standard of Good Practice for Information Security, 2013)
  • An organization-wide group of information protection champions should be established (supported by mailing lists, regular teleconference calls, and meetings) to help them understand common security challenges. (CF.12.02.06a, The Standard of Good Practice for Information Security, 2013)
  • The high-level working group should be aware of privacy-related legislation and regulation with which the organization needs to comply. (SR.02.02.02a, The Standard of Good Practice for Information Security, 2013)
  • appoint or nominate a compliance function with: (§ 5.3.3 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • An information security coordination group should consist of personnel from different parts of the organization, including managers, users, designers, legal, human resources, auditors, and others. This group should discuss the following: Handling noncompliance; assessing security controls; promoting… (§ 6.1.2, § 6.1.3, ISO 27002 Code of practice for information security management, 2005)
  • The governing body should direct and oversee the organization to ensure accountability is practised throughout (see 6.4). (§ 6.5.3.3 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Depending on the size of the organization, governing bodies can create committees to help them fulfil their obligations. These committees can be statutory or voluntary. In either case, they should provide the governing body with additional capacity, skills, independence, diversity and/or stakeholder… (§ 4.3.1 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • independence of the compliance function; (§ 5.1.3 ¶ 1 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • appoint or nominate a compliance function (see 5.3.2); (§ 5.1.1 ¶ 2 bullet 6, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the independence of the compliance function; (§ 9.3.2 ¶ 2 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • appoint or nominate a compliance function (see 5.3.2). (§ 5.1.1 ¶ 2 bullet 6, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • independence of the compliance function; (§ 5.1.3 ¶ 1 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Increase oversight of compliance. Without the appropriate oversight, the use of AI can automate processes, produce outcomes that undergo frequent change, can be difficult to explain or conflict with organizational policies (see 6.6). (§ 5.5 ¶ 1 Bullet 1, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • appropriate specific sub-organizations, processes and tools designed to guarantee or enforce values, principles and internal controls that are foundational to good governance. (§ 6.7.2 ¶ 3 Bullet 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations (CC1.2 ¶ 3 Bullet 1 Establishes Oversight Responsibilities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants. (CC1.2 ¶ 4 Bullet 1 Supplements Board Expertise, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization ensures appropriate oversight of and compliance with the internal dependency management strategy implementation. (DM.ID-1.3, CRI Profile, v1.2)
  • Public agencies must establish a Committee on Information who will have the following duties: coordinating and supervising activities by public entities to comply with the provisions of this Act; establishing measures to help ensure greater efficiency for handling requests for access to information;… (Art 36, Art 37, Tlaxcala Law on Access to Public Information and Personal Data Protection)
  • The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants. (CC1.2 Supplements Board Expertise, Trust Services Criteria)
  • The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations (CC1.2 Establishes Oversight Responsibilities, Trust Services Criteria)
  • The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations (CC1.2 ¶ 3 Bullet 1 Establishes Oversight Responsibilities, Trust Services Criteria, (includes March 2020 updates))
  • The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants. (CC1.2 ¶ 4 Bullet 1 Supplements Board Expertise, Trust Services Criteria, (includes March 2020 updates))
  • overseeing agency compliance with the requirements of this subchapter, including through any authorized action under section 11303 of title 40, to enforce accountability for compliance with such requirements; and (§ 3553(a)(5), Federal Information Security Modernization Act of 2014)
  • Determine whether management identifies internal and external roles and responsibilities for AIO activities and implements processes to oversee those activities performed by third-party service providers. Assess whether management appropriately assigned and defined the responsibility and oversight o… (App A Objective 7:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Reports to the board and senior management containing the results of audits or other independent reviews and an assessment of management's ability to oversee the entity's AIO functions and activities. Validate whether the review scope and frequency are appropriate for the complexity of the entity's … (App A Objective 2:11d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The board is responsible for overseeing, and senior management is responsible for implementing and maintaining, a safe and sound operating environment that supports the entity's goals and objectives and complies with applicable laws and regulations. Management should establish responsibility and acc… (II.A Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Review the membership list of board, steering committee, and/or relevant management committees established to review IT activities. Determine whether board, senior management, lines of business, audit, and IT personnel are represented appropriately, and whether regular meetings are held and minutes … (App A Objective 2:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the board, or its committee, has appropriate oversight of audit through the following: (App A Objective 6:3, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The technology steering committee should be responsible for developing project deliverables and coordinating activities between the departments. The membership of the committee should be composed of the project manager, a board member, and executives from each department. (Pg 5, FFIEC IT Examination Handbook - Development and Acquisition)
  • The Board of Directors should assign an IT steering committee to oversee the monitoring of IT activities. The steering committee should be composed of representatives from senior management, the IT department, and end-user departments. Each member should have the authority to make decisions for his/… (Pg 5, Pg 6, Pg 16, Exam Obj 3.1, FFIEC IT Examination Handbook - Management)
  • Level 2 roles include representatives of each mission and business process, such as program managers, research and development, and acquisitions/procurement. Level 2 C-SCRM activities address C-SCRM within the context of the enterprise's mission and business process. Specific strategies, policies, a… (2.3.3. ¶ 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • A Senior Assessment Team should be developed by the organization and should be led by the Chief Financial Officer. This team should be composed of senior executives from the departments affected by the assessment. The Chief Information Officer should actively participate as a member of the team. (Pg 6, Pg 8, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)