Back

Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff.


CONTROL ID
00779
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish and maintain the staff structure in line with the strategic plan., CC ID: 00764

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Once connectivity is established, system owners become information stakeholders for all connected security domains. (Security Control: 0607; Revision: 3, Australian Government Information Security Manual, March 2021)
  • System owners should become an information stakeholder for all connected security domains, once connectivity has been established for unclassified systems. (Control: 0607, Australian Government Information Security Manual: Controls)
  • System owners must become an information stakeholder for all connected security domains, once connectivity has been established for classified systems. (Control: 0608, Australian Government Information Security Manual: Controls)
  • System owners, process owners, Information Technology staff, and qualified persons should all cooperate with each other closely. (¶ 2, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • (§ 3.5, OGC ITIL: Security Management)
  • The purpose of the relationship management practice is to establish and nurture the links between the organization and its stakeholders at strategic and tactical levels. It includes the identification, analysis, monitoring, and continual improvement of relationships with and between stakeholders. (5.1.9 ¶ 1, ITIL Foundation, 4 Edition)
  • Establish and maintain an optimal co-ordination, communication and liaison structure between the IT function and various other interests inside and outside the IT function, such as the board, executives, business units, individual users, suppliers, security officers, risk managers, the corporate com… (PO4.15 Relationships, CobiT, Version 4.1)
  • Identify stakeholders and get their support. (§ 4 ¶ 2 Bullet 4, Information Supplement: Best Practices for Implementing a Security Awareness Program, Version 1.0)
  • The organization should consider and protect key stakeholder's interests when it determines the business continuity management strategies, which should take into account relevant cultural and social considerations. Strategies should be identified to manage the relationships between the organization … (§ 7.8.1, § 7.8.2, BS 25999-1, Business continuity management. Code of practice, 2006)
  • To better understand the business and risks of the organization, the internal auditors should have continuous discussions with key stakeholders during the IT audit plan's development. These discussions will give the auditors insights on the business and concerns of the key stakeholders. (§ 6.2, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • An organization-wide group of information protection champions should be established (supported by mailing lists, regular teleconference calls and meetings) to help them share successful approaches to working with business owners and users. (CF.12.02.06b, The Standard of Good Practice for Information Security)
  • There should be a process for managing the security of relationships with external suppliers which involves the information security function. (CF.16.01.01, The Standard of Good Practice for Information Security)
  • Local information security co-ordinators shall have access to in-house or external expertise in information security. (CF.12.02.03c, The Standard of Good Practice for Information Security)
  • An organization-wide group of information protection champions should be established (supported by mailing lists, regular teleconference calls and meetings) to help them share successful approaches to working with business owners and users. (CF.12.02.06b, The Standard of Good Practice for Information Security, 2013)
  • There should be a process for managing the security of relationships with external suppliers which involves the information security function. (CF.16.01.01, The Standard of Good Practice for Information Security, 2013)
  • Local information security co-ordinators shall have access to in-house or external expertise in information security. (CF.12.02.03c, The Standard of Good Practice for Information Security, 2013)
  • The governing body should ensure that the organization's stakeholders are identified, prioritized, appropriately engaged, consulted and their expectations understood. The governing body should do this to ensure that stakeholder relationships are effective and appropriate decisions about expectations… (§ 6.6.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • collaborative relationships with relevant stakeholders are maintained; (§ 6.6.3 ¶ 3 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the manner in which the organization interacts with, and impacts, its stakeholders and the context within which it operates. (§ 6.7.3.1 ¶ 4 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Within the organization's external context: The governing body should ensure that the organization treats stakeholders in a manner consistent with its organizational values. (§ 6.7.3.3 ¶ 1 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. (§ 6.7.3.1 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the quality and nature of stakeholder relationships and effectiveness of stakeholder engagement; (§ 6.3.3.1.1 ¶ 2 g), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • When the governing body groups stakeholders, it should clarify its criteria for grouping, and for determining the relevance of, stakeholders. The governing body should also ensure that a stakeholder engagement process is devised on this basis. (§ 6.6.3 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • identification and analysis of the stakeholders; (§ 7.4 ¶ 1 Bullet 2, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Receives appropriate management information from IT, lines of business, and external sources. (App A Objective 2:6 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Integration of business line managers into the IT oversight process. (App A Objective 2:11 g., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The Chief Information Officer (CIO) should support the activities of managers in the other business areas. (Pg 6, FFIEC IT Examination Handbook - Management)
  • Use corporate, legal, or regulatory compliance personnel when conducting ePHI safeguard analysis as appropriate. (§ 4.8.2 Bullet 3, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness. (RS.CO-5, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Establish relationships, if applicable, between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies, vendors, public relations professionals). (T0096, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)