Back

Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures.


CONTROL ID
00807
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806

This Control has the following implementation support Control(s):
  • Establish and maintain board committees, as necessary., CC ID: 14789
  • Define and assign the roles and responsibilities of the chairman of the board., CC ID: 14786
  • Assign oversight of C-level executives to the Board of Directors., CC ID: 14784
  • Establish, implement, and maintain candidate selection procedures to the board of directors., CC ID: 14782
  • Assign oversight of the financial management program to the board of directors., CC ID: 14781
  • Assign senior management to the role of supporting Quality Management., CC ID: 13692
  • Assign senior management to the role of authorizing official., CC ID: 14238
  • Assign members who are independent from management to the Board of Directors., CC ID: 12395
  • Assign ownership of risks to the Board of Directors or senior management., CC ID: 13662
  • Assign the organization's board and senior management to oversee the continuity planning process., CC ID: 12991
  • Rotate members of the board of directors, as necessary., CC ID: 14803


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The Board of Directors should be made up of executive and non-executive directors; a majority of the members should be independent, non-executive directors. Executive directors are individuals who perform day-to-day management activities and/or full-time employees. Non-executive directors are indivi… (¶ 2.1.17, ¶ 2.2.1, ¶ 2.4.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • It is the primary responsibility of AIs to ensure that the risks posed by e-banking are properly managed and to educate and protect their customers. In the light of the inherent operational, reputation and legal risk as well as potential liquidity risk associated with e-banking, an AI's Board7, or i… (§ 3.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • Certain AIs may rely on a reciprocal recovery arrangement with another institution to provide recovery capability. AIs should, however, note that such arrangement is often not appropriate for prolonged disruptions and an extended period of time. This arrangement could also make it difficult for AIs … (5.3.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • Senior management should establish an effective organisation of IT functions to deliver technology services and to provide day-to-day technology support to business units. A clear IT organisation structure and related job descriptions of individual IT functions should be documented and approved by s… (2.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • App 2-1 Item Number I.1.2(1): Top management must approve the organizational structure that is used to develop the overall optimization plan. This is a control item that constitutes a relatively small risk to financial information. This is a company-level IT control. App 2-1 Item Number I.1.2(2): To… (App 2-1 Item Number I.1.2(1), App 2-1 Item Number I.1.2(2), App 2-1 Item Number I.2.1(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Standard § I.4(1): Management is responsible for the design and operation of internal controls and designs and operates the internal controls. Standard § I.4(2): The Board of Directors is responsible for deciding the preliminary policies about the design and operation of internal controls, supervi… (Standard § I.4(1), Standard § I.4(2), Practice Standard § I.4(1), Practice Standard § I.4(2), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The organization shall require top management to participate in the establishment of a security management system and identify the individual responsible for overall security and place to the system under that person for unified security management. (O3.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The procedures require managers' approval. To avoid mistakes, the procedures should be done by multiple persons with authority, whereby they check one another. (P30.3. ¶ 1(2), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • If non-executive directors receive compensation, the compensation must be fixed by the Board and requires prior approval by shareholders during a general meeting. (§ I(B), Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
  • The organization should send a formal letter to each new member of the Board of Directors outlining his/her duties and obligations. (¶ 1.7, CODE OF CORPORATE GOVERNANCE 2005)
  • Where the board delegates its responsibility to a committee as described in paragraph 5.2.2, the board should establish communication procedures between the board and the committee. This should include requiring the committee to report to the board on a regular basis, and ensuring that senior manage… (5.2.4, Guidelines on Outsourcing)
  • They should also be fully responsible for ensuring that effective internal controls and risk management practices are implemented to achieve security, reliability, resiliency and recoverability. (§ 3.1.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The board of directors and senior management should ensure a Chief Information Officer, Chief Technology Officer or Head of IT, and a Chief Information Security Officer or Head of Information Security, with the requisite expertise and experience, are appointed. The appointments should be minimally a… (§ 3.1.3, Technology Risk Management Guidelines, January 2021)
  • The organization must appoint a senior executive, the Chief Information Security Officer, who is responsible for overseeing the application of controls and security risk management processes and coordinating the communication between business functions and security functions. (Control: 0714, Australian Government Information Security Manual: Controls)
  • The organization's accreditation authority must be at least a senior executive who has an appropriate level of understanding of the security risks they are accepting. (Control: 1229, Australian Government Information Security Manual: Controls)
  • The information technology security Risk Management Framework should be formally approved. (¶ 25, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • roles and responsibilities — clearly outline for management how the Board expects to be engaged, including delegation of responsibilities, escalation of risks, issues and reporting requirements (including schedule, format, scope and content). Refer to Attachment H for common examples of the types … (8(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Under CPS 234, an APRA-regulated entity must actively maintain an information security capability with respect to changes in vulnerabilities and threats. Accordingly, an entity would typically adopt an adaptive and forward-looking approach to maintaining its information security capability, includin… (20., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • a robust and transparent organisational structure with clear responsibilities on ICT, including the management body and its committees and that key responsible persons for ICT (e.g. chief information officer 'CIO', chief operating officer 'COO' or equivalent role) have adequate indirect or direct ac… (Title 2 2.3 28.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; (4.7 42(a), Final Report on EBA Guidelines on outsourcing arrangements)
  • the identification, assessment and management of conflicts of interest; (4.6 36(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • The Board of Directors must regularly review the organization's operations to ensure they meet the objectives and the guidelines established by the Board. (¶ III.3.1.3, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • When a Supervisory Board member must temporarily take over the management of the organization due to a Management Board member being absent or not being able to fulfill his/her duties, he/she must resign from the Supervisory Board. (¶ III.6.7, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • A firm's senior management are responsible for ensuring that the firm conducts its business with integrity and tackles the risk that the firm, or anyone acting on its behalf, engages in bribery and corruption. A firm's senior management should therefore be kept up-to-date with, and stay fully abreas… (6.2.1 ¶ 1, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • Boards and senior management, in particular individuals performing SMFs, cannot outsource their responsibilities. Firms that enter into outsourcing arrangements remain fully accountable for complying with all their regulatory obligations. This is a key principle underlying all requirements and expec… (§ 4.3, SS2/21 Outsourcing and third party risk management, March 2021)
  • Allocation of Responsibilities 4.1(21) (banks) and Insurance – Allocation of Responsibilities 3.1(A3)(12) (insurers) require firms to allocate a Prescribed Responsibility for a firm's regulatory obligations in relation to outsourcing to an SMF. (§ 4.7, SS2/21 Outsourcing and third party risk management, March 2021)
  • The PRA generally expects but does not require this Prescribed Responsibility to be allocated to (one of) the individuals performing the Chief Operations Senior Management Function (SMF24) if a firm has one or more individuals performing that SMF. As noted in SS28/15 for banks and SS35/15 for insure… (§ 4.8, SS2/21 Outsourcing and third party risk management, March 2021)
  • The responsibilities of the board, including its involvement, as appropriate, in decisions about material outsourcing. (Table 4 Column 2 Row 1 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • The organization must designate a Board level representative that is responsible for security. (¶ Mandatory Requirement 3, HMG Security Policy Framework, Version 6.0 May 2011)
  • The head of the organization has overall responsibility for security and must determine the appropriate security structures for the organization. (Security Policy No. 1 ¶ 6, HMG Security Policy Framework, Version 6.0 May 2011)
  • ¶ 1: The contractor's board of directors is contractually responsible for the security of government assets held at its site. ¶ 6.a: The contractor must appoint a board contact who will have overall security responsibility. The board contact must be a British citizen and a member of the board of d… (¶ 1, ¶ 6.a, ¶ 7, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • The organization is required to nominate two individuals: a security controller for day-to-day aspects and a board contact who accepts responsibility for security and to whom the security controller reports. The security controller role is unlikely to be full-time, except in large organizations, and… (App 3 ¶ 14, The Contractual process, Version 5.0 October 2010)
  • The entity has an overall governance and legal structure that defines and establishes responsibility and authority for the entity's oversight processes, policy setting and ongoing monitoring activities. (M1.2 Responsibility and authority, Privacy Management Framework, Updated March 1, 2020)
  • The entity has a governance and legal structure that establishes accountability for information privacy policy creation, oversight, monitoring and compliance. (M1.2 Established accountability, Privacy Management Framework, Updated March 1, 2020)
  • Companies in the supply chain should assign a senior staff member, who has competence, knowledge, and experience, the authority and responsibility to oversee the supply chain due diligence process. (Supplement on Tin, Tantalum, and Tungsten Step 1: B.1, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Companies in the supply chain should assign senior staff who has competence, knowledge, and experience the authority and responsibility to oversee the supply chain due diligence process. (Supplement on Gold Step 1: § I.B.1, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Does the organization make the Board of Directors and officers aware of their liabilities? (Table Row II.1, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The organization is required to report whether the highest governance body is responsible for reviewing and approving the reported information, including the organization's material topics, under Disclosure 2-14 in GRI 2: General Disclosures 2021. (Requirement 8 Guidance ¶ 4, GRI 1: Foundation 2021)
  • describe its policy and practice for seeking external assurance, including whether and how the highest governance body and senior executives are involved; (Disclosure 2-5 ¶ 1(a), GRI 2: General Disclosures, 2021)
  • how the highest governance body considers the outcomes of these processes; (Disclosure 2-12 ¶ 1(b)(ii), GRI 2: General Disclosures, 2021)
  • describe the role of the highest governance body in reviewing the effectiveness of the organization's processes as described in 2-12-b, and report the frequency of this review. (Disclosure 2-12 ¶ 1(c), GRI 2: General Disclosures, 2021)
  • report whether the highest governance body is responsible for reviewing and approving the reported information, including the organization's material topics, and if so, describe the process for reviewing and approving the information; (Disclosure 2-14 ¶ 1(a), GRI 2: General Disclosures, 2021)
  • if the highest governance body is not responsible for reviewing and approving the reported information, including the organization's material topics, explain the reason for this. (Disclosure 2-14 ¶ 1(b), GRI 2: General Disclosures, 2021)
  • describe the role of the highest governance body and of senior executives in developing, approving, and updating the organization's purpose, value or mission statements, strategies, policies, and goals related to sustainable development; (Disclosure 2-12 ¶ 1(a), GRI 2: General Disclosures, 2021)
  • report the level at which each of the policy commitments was approved within the organization, including whether this is the most senior level; (Disclosure 2-23 ¶ 1(d), GRI 2: General Disclosures, 2021)
  • The organization's highest governance body should oversee the process and review and approve the material topics. If the organization does not have a highest governance body, a senior executive or group of senior executives should oversee the process and review and approve the material topics. (§ 1. ¶ 7, GRI 3: Material Topics 2021)
  • The organization's highest governance body should review and approve the list of material topics. If such a body does not exist, the list should be approved by a senior executive or group of senior executives in the organization. (§ 1. Step 4. Approval of the material topics ¶ 1, GRI 3: Material Topics 2021)
  • The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate actions. (§ 3 Principle 2 Points of Focus: Applies Relevant Expertise, COSO Internal Control - Integrated Framework (2013))
  • Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization: – Board of Directors — Retains authority over significant decision… (§ 3 Principle 3 Points of Focus:Defines, Assigns, and Limits Authorities and Responsibilities, COSO Internal Control - Integrated Framework (2013))
  • A high level official, for example, a board director or elected representative, should own the business continuity management policy. Top management should review the business continuity management capabilities, when it deems appropriate, to ensure it is suitable, adequate, and effective. The review… (§ 4.3 ¶ 2, § 9.5.1, BS 25999-1, Business continuity management. Code of practice, 2006)
  • Top management must nominate or appoint a person who has seniority and the authority that will be accountable for the business continuity management policy and implementation, and it must appoint one or more persons to implement and maintain the business continuity management system, regardless of h… (§ 3.2.3.3, BS 25999-2, Business continuity management. Specification, 2007)
  • The Board of Directors should have a vision of the organization's future and should have a growth plan and objectives. This information should be used to steer the Information Technology Service Continuity (ITSC) strategy for the longterm and aid in steering investment decisions and corporate direct… (§ 5.3 ¶ 3, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The Board of Directors, as keeper of the governance framework, has the primary responsibility for the internal controls of the organization. At the governance level, IT control involves ensuring effective security and information management principles, processes, and policies are implemented. Govern… (§ 5.2.1, § 7.1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Top management must appoint management representative(s) who must have defined responsibilities, roles, and authorities, regardless of other responsibilities, to ensure the organizational resilience management system has been established, communicated, implemented, and maintained in accordance with … (§ 4.4.1 ¶ 3, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The responsibility for information security lies with senior management. Senior management allocates the resources to implement the security policy; defines the information systems security policy; and approves the procedures needed to implement the security policy. (Pg 12-IV-2, Protection of Assets Manual, ASIS International)
  • The organization's governing body (e.g., board of directors or equivalent) should demonstrate their commitment by signing off on the overall approach to information security governance. (SG.01.01.06a, The Standard of Good Practice for Information Security)
  • The organisation's governing body (e.g., board of directors or equivalent) should demonstrate their commitment by signing off on the strategy for Information Security. (SG.01.01.06b, The Standard of Good Practice for Information Security)
  • The organisation's governing body (e.g., board of directors or equivalent) should demonstrate their commitment by signing off the Information Assurance program. (SG.01.01.06c, The Standard of Good Practice for Information Security)
  • The organization's governing body (e.g., board of directors or equivalent) should demonstrate their commitment by signing off the information security policy. (SG.01.01.06d, The Standard of Good Practice for Information Security)
  • The organisation's governing body (e.g., board of directors or equivalent) should demonstrate their commitment by signing off the security architecture for the organization. (SG.01.01.06e, The Standard of Good Practice for Information Security)
  • The organization's governing body (e.g., board of directors or equivalent) should demonstrate their commitment by signing off on the overall approach to information security governance. (SG.01.01.07a, The Standard of Good Practice for Information Security, 2013)
  • The organisation's governing body (e.g., board of directors or equivalent) should demonstrate their commitment by signing off on the strategy for Information Security. (SG.01.01.07b, The Standard of Good Practice for Information Security, 2013)
  • The organisation's governing body (e.g., board of directors or equivalent) should demonstrate their commitment by signing off the Information Assurance program. (SG.01.01.07c, The Standard of Good Practice for Information Security, 2013)
  • The organization's governing body (e.g., board of directors or equivalent) should demonstrate their commitment by signing off the information security policy. (SG.01.01.07d, The Standard of Good Practice for Information Security, 2013)
  • The organisation's governing body (e.g., board of directors or equivalent) should demonstrate their commitment by signing off the security architecture for the organization. (SG.01.01.07e, The Standard of Good Practice for Information Security, 2013)
  • Top management shall define and document the risk acceptability criteria and review the risk management process at planned intervals to ensure the risk management process is effective and document any decisions and actions that were taken. The policy to determine risk acceptability criteria shall en… (§ 3.2, ISO 14971:2007 Medical devices -- Application of risk management to medical devices, 2007)
  • Senior management should have the highest responsibility for ensuring the implementation of a successful Records Management program and to promote compliance throughout the organization. (§ 2.3.2 ¶ 1(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • supporting other relevant management roles to demonstrate their leadership as it applies to their areas of compliance responsibility; (§ 5.1 ¶ 1 h), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • senior decision-makers and the opportunity to contribute early in the decision-making processes; (§ 5.3.3 ¶ 1 d) 3) Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • reporting on the performance of the BCMS to top management. (§ 5.4 ¶ 2 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Management should ensure personnel are motivated about following the security rules. Personnel will be more likely to cause fewer security incidents and be more reliable if they are motivated. Management should ensure employees, contractors, and third parties have been properly briefed on their secu… (§ 8.2.1, ISO 27002 Code of practice for information security management, 2005)
  • The governing body can delegate but still remains accountable for what it has delegated and always remains responsible for the organization as a whole. (§ 4.2.2 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • clarify the manner in which the governing body itself is to operate and govern the organization; (§ 6.3.3.1.2 ¶ 1 f), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should demonstrate its willingness to answer for the fulfilment of its responsibilities, even where these have been delegated. The governing body should also report on the manner in which it holds to account those to whom it has delegated. (§ 6.5.3.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the governing body; (§ 4.2.1 ¶ 1 Bullet 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • At all times, the governing body should act collectively, performing many interrelated activities in order to exercise its authority and fulfil its accountability. Members of the governing body should act with probity and in the best interests of the organization while applying the principles in thi… (§ 4.3.1 ¶ 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. (Table 1 Column 4 Row 6, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • establishing clarity about its role in the strategic planning process; (§ 6.3.3.2.1 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body is accountable for ensuring that the organization fulfils the defined organizational purpose and should ensure that the organization does so in a manner which demonstrates the defined organizational values. (§ 6.1.3.4 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. (§ 6.5.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Within the governing body: The governing body should set expectations for itself and the organization, including parameters within which these expectations are to be fulfilled. The governing body should fulfil these expectations (internal alignment). (§ 6.7.3.2 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • senior decision-makers and the opportunity to contribute early in the decision-making processes; (§ 5.3.2 ¶ 4 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • exercise oversight over top management regarding the operation of the compliance management system. (§ 5.3.1 ¶ 3 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • supporting other relevant roles to demonstrate their leadership as it applies to their areas of responsibility. (§ 5.1.1 ¶ 1 bullet 8, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • supporting other relevant managerial roles to demonstrate their leadership as it applies to their areas of responsibility; (§ 5.1.1 ¶ 1 bullet 8, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • exercise oversight over top management regarding the operation of the compliance management system. (§ 5.3.1 ¶ 3 b), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • senior decision-makers and the opportunity to contribute early in the decision-making processes; (§ 5.3.2 ¶ 6 bullet 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • ensuring that appropriate levels of authority are assigned for making decisions related to the SMS and the services; (§ 5.1 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. (§ 5.1 ¶ 1(l), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Inputs to the management review should be at the appropriate level of detail, according to the objectives established for the management involved in the review. For example, top management should evaluate only a summary of all items, according to the information security objectives or high level obj… (§ 9.3 Guidance ¶ 5, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • When several management reviews are done at different levels of the organization, then they should be linked to each other in an appropriate manner. (§ 9.3 Guidance ¶ 8, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The governing body remains accountable for all activities of an organization. This accountability cannot be delegated. (§ 4.1 ¶ 4, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Address the scope of use. Ensure that the scope of automation is overseen by the governing body and implemented by appropriately authorized and skilled people (see 6.3). The governing body should ensure that the requisite authority, responsibility and accountability are maintained and that the conse… (§ 5.5 ¶ 1 Bullet 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Authority and responsibility are delegated to people throughout an organization in order to spread the burden of work done and decisions made. Wherever such delegated authority or responsibility resides, accountability remains with the governing body for all work done and decisions made (see 4.3). S… (§ 6.3 ¶ 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • responsibilities, chain of responsibility, accountability, authority and potential delegation of authority are clearly defined and agreed both within the organization and, where applicable, between different parties in any value chain; (§ 6.2 ¶ 3 Bullet 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Accountability and Responsibility. The governing body should maintain its accountability as well as oversight of the organization's responsibilities both internally and externally for the use of AI. (§ 6.7.3 ¶ 1 Bullet 1, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. (CC1.3 ¶ 3 Bullet 3 Defines, Assigns, and Limits Authorities and Responsibilities, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action. (CC1.2 ¶ 3 Bullet 2 Applies Relevant Expertise, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The board of directors provides oversight of the strategy and carries out governance responsibilities to support management in achieving strategy and business objectives. (Principle 1: Exercises Board Risk Oversight, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Committee members are typically executives or senior leaders appointed or elected by management, and each contributes individual skills, knowledge, and experience. (Enterprise Risk Management Structures ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The board of directors has the primary responsibility for risk oversight in the entity, and in many countries it has a fiduciary responsibility to the entity's stakeholders, including conducting reviews of enterprise risk management practices. Typically, the full board is responsible for risk oversi… (Accountability and Responsibility ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • In an entity with a dual-board structure, a supervisory board focuses on longer-term decisions and strategies affecting the business. A management board is charged with overseeing day-to-day operations including the oversight and delegation of authority among senior management. As with a single-boar… (Authority and Responsibilities ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management defines the characteristics needed to achieve the desired culture over time, with the board providing oversight and focus. An organization can then embrace a risk-aware culture by: (Embracing a Risk-Aware Culture ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Effective communication between the board of directors and management is critical for organizations to achieve the strategy and business objectives and to seize opportunities within the business environment. Communicating about risks starts by defining risk responsibilities clearly: who needs to kno… (Communicating with the Board ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization implements and maintains a documented policy or policies that address customer data privacy, and is approved by a designated officer or the organization's appropriate governing body (e.g., the Board or one of its committees). (GV.PL-3.3, CRI Profile, v1.2)
  • The organization implements and maintains a documented policy or policies that address customer data privacy, and is approved by a designated officer or the organization's appropriate governing body (e.g., the Board or one of its committees). (GV.PL-3.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The Board of Directors should strongly influence the internal environment and should possess management, technical, and other expertise necessary to perform its oversight responsibilities. (Pg 21, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. (CC1.3 Defines, Assigns, and Limits Authorities and Responsibilities, Trust Services Criteria)
  • The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate actions. (CC1.2 Applies Relevant Expertise, Trust Services Criteria)
  • Management and the board of directors delegate authority, define responsibilities, and use appropriate processes and technology to assign responsibility and segregate duties as necessary at the various levels of the organization. (CC1.3 ¶ 3 Bullet 3 Defines, Assigns, and Limits Authorities and Responsibilities, Trust Services Criteria, (includes March 2020 updates))
  • The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action. (CC1.2 ¶ 3 Bullet 2 Applies Relevant Experience, Trust Services Criteria, (includes March 2020 updates))
  • Commanders and managers should be responsible for ensuring their organizations meet the requirements of this regulation; ensuring changes to current systems or new systems meet the applicable security requirements; validating that the security requirements are incorporated into the system design; an… (§ 1-6.c, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • § 2.1: Business owners of business partner systems shall determine and document the information and information system security levels and identify security level categorizations for the information and information systems. § 2.3: CMS project officers (POs) must oversee the business partners, take… (§ 2.1, § 2.3, CMS Business Partners Systems Security Manual, Rev. 10)
  • Senior management must provide adequate resources and training to ensure segregation of duty principles are established, understood, enforced, and institutionalized. (CSR 4.6.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Approving material changes to the Program as necessary to address changing identity theft risks. (Appendix A-VI. (a)(3), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • The Board of Directors should ensure the Bank Secrecy Act (BSA) compliance officer has the authority and resources to effectively administer the compliance program. (Pg 6, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • The agency head must ensure senior agency officials assess the risk and magnitude of harm that could result from unauthorized access to or disclosure, modification, use, disruption, or destruction of information or information systems; determine the appropriate information security levels necessary … (§ 3544(a)(2), § 3544(a)(5), Federal Information Security Management Act of 2002, Deprecated)
  • Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy pol… (§ III.7.c., EU-U.S. Privacy Shield Framework Principles)
  • The self-assessment should be signed by a corporate officer at least annually and be available upon request or for an investigation or complaint against non-compliance. (FAQ-Verification ¶ 2, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The Board of Directors must designate, by name, the individuals who do not require and can be excluded from accessing, viewing, etc., classified information or higher-level classified information disclosed to the organization. (§ 2-106, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Management personnel with executive responsibility shall appoint a management member who, irrespective of other responsibilities, shall have the responsibility for and authority over ensuring quality system requirements have been established and are maintained effectively and reporting on the qualit… (§ 820.20(b)(3), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Management officials and supervisors are responsible for the following: ensuring HHS participates in developing and reviewing HHS records management policy and follow the policy; ensuring all staff members attend records management training; informing staff of their rights and responsibilities; and … (Ch 10 (Responsibilities of Management), Department of Health and Human Services Records Management Procedures Manual, Version 1.0 Final Draft)
  • The head of each criminal justice information services systems agency shall appoint a criminal justice information services systems officer. (§ 3.2.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The repository manager or state identification bureau chief has oversight for the state's fingerprint identification services. (§ 3.2.11, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Adopting appropriate policies and procedures. (App A Objective 2:2c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether the board holds management accountable for the following: (App A Objective 2.3, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Assignment of responsibility. (App A Objective 2.3.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • An appropriate and effective executive management team or positions, such as CEO and COO, to assist in the oversight and management of IT. (App A Objective 2:11 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Maintains a charter that defines its responsibilities. (App A Objective 2:6 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The Board of Directors and senior management should establish a testing program, review and approve the testing program annually, and review test results. (Pg H-1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (Obj 4.2, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The Board of Directors should oversee and be responsible for approving the development, implementation, and updating of a comprehensive information security program. (Pg 9, FFIEC IT Examination Handbook - Management)
  • The Board of Directors and senior management should ensure that the IT systems of the organization operate in a safe and efficient manner. They should coordinate the IT controls used by the organization and any third parties and should be responsible for understanding risks, determining risk toleran… (Pg 3, FFIEC IT Examination Handbook - Operations, July 2004)
  • The Board of Directors should establish and approve all policies pertaining to managing the outsourcing process. (Pg 3, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • Whether the institution has appropriate depth of management and staff. (App A Tier 1 Objectives and Procedures Objective 1:3 Bullet 2 Sub-Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the quality of oversight and support provided by the board of directors and management. (App A Tier 1 Objectives and Procedures Objective 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine if the reports are reviewed at the appropriate levels of management. (App A Tier 1 Objectives and Procedures Objective 5:1 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Are in writing and approved by the board or a designated committee. (App A Tier 2 Objectives and Procedures K.1 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Establish management accountability. (App A Tier 2 Objectives and Procedures K.1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine if the quality of management and staff, and the staffing levels are adequate for the specific retail payment products and processes the institution provides. • Obtain and review the following: o Reports showing staffing levels, turnover, and trends. o Biographies of managers and key staf… (Exam Tier I Obj 1.3, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The Board of Directors should oversee the implementation of policies, the risk management strategy, controls, external and internal audits, and management information systems. (Pg 22, Exam Tier I Obj 1.3, Exam Tier II Obj 1.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Financial institutions or creditors that are required to implement an Identity Theft Prevention Program must have the initial written Program approved by the Board of Directors or an appropriate committee of the Board of Directors and must include the involvement of the Board of Directors, a committ… (§ 41.90(e)(1), § 41.90(e)(2), § 222.90(e)(1), § 222.90(e)(2), § 334.90(e)(1), § 334.90(e)(2), § 571.90(e)(1), § 571.90(e)(2), § 681.2(e)(1), § 681.2(e)(2), § 717.90(e)(1), § 717.90(e)(2), Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Final Rule, November 9, 2007)
  • Organizational records and documents should be examined to ensure a senior official must sign and approve all security accreditations. (CA-6.3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The head of the organization should ensure adequate resources are assigned to the sanitization program to ensure program success. Senior management should ensure the types and locations of information are identified and resources are allocated appropriately. (§ 3.1, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters. (T0213, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must assign a senior level executive or manager as the Authorizing Official. (App F § CA-6.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Baseline tailoring activities must be coordinated with and approved by the organizational officials before security controls are implemented. (§ 3.3 ¶ Tailoring the Baseline Security Controls, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters. (T0213, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Senior management is responsible for ensuring that the necessary resources are available and for assessing and incorporating the risk assessment results into the decision making process. For the risk management program to be effective, senior management must be involved. (§ 2.3, Risk Management Guide for Information Technology Systems, NIST SP 800-30, July 2002)
  • Approve the national bank's or Federal savings association's written information security program; and (§ III. A. 1., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • The third party management plan should be approved by the bank's Board of Directors, if critical activities are involved. ("Planning" Bullet 13, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management should obtain approval for the third party contract from the Board of Directors when the relationship involves critical activities. ("Contract Negotiation" ¶ 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The oversight of the overall Risk Management processes are the responsibilities of the bank's Board of Directors and senior management. ("Oversight and Accountability", Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The board of directors must review and approve the management plans for the use of third parties when critical activities are involved. ("Board of Directors" Bullet 3, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The board of directors must approve all third party contracts that involve critical activities. ("Board of Directors" Bullet 5, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management must review and approve third party contracts. ("Senior Bank Management" Bullet 5, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Senior management must hold the employees who are responsible for managing the third party relationship accountable. ("Senior Bank Management" Bullet 9, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)