Back

Establish, implement, and maintain a positive information control environment.


CONTROL ID
00813
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406

This Control has the following implementation support Control(s):
  • Make compliance and governance decisions in a timely manner., CC ID: 06490


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization's control environment should set the tone and should include management's philosophy, employee competence, and ethical values. The organization should create a code of ethics and show that it complies with it by developing procedures for monitoring and enforcing it; assigning an ind… (¶ 3.2.1, ¶ 5.2.1 thru ¶ 5.2.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • the change in risks associated with e-banking are fully understood and that adequate risk management measures are taken when introducing or enhancing e-banking and thereafter, as there might be changes in risk over time especially as technologies evolve. In this connection, the AI's Board and senior… (§ 3.1.1 (i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • the risks associated with e-banking are fully understood and that adequate risk management measures are taken when introducing or enhancing e-banking and thereafter, as there might be changes in risk over time especially as technologies evolve. In this connection, the AI's Board and senior managemen… (§ 3.1.1 (i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • The organizational objectives and goals of the overall optimization plan must be consistent with the management and business strategy. This is a control item that constitutes a relatively small risk to financial information. This is a company-level IT control. (App 2-1 Item Number I.1.1(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Standard § I.2(3): Polices and procedures for control activities should be incorporated into business processes. They need to performed by everyone in order to ensure they function effectively. Policies and procedures that could potentially influence financial reports must ensure that all operation… (Standard § I.2(3), Standard § I.4(1), Practice Standard § I.5(1), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • All Board members and senior management must adhere to a code of conduct developed by the Board and must affirm compliance with the code annually. The code of conduct must be posted on the organization's website. (§ I(D), Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
  • The organization's internal controls (financial, operational, and compliance controls and risk management policies) should be reviewed by the audit committee to ensure the internal controls are adequate. (¶ 12.1, CODE OF CORPORATE GOVERNANCE 2005)
  • Given that technology underpins many of the operations and services offered by an FI, the board of directors and senior management should set the tone from the top and cultivate a strong culture of technology risk awareness and management at all levels of staff within the FI. (§ 3.1.6, Technology Risk Management Guidelines, January 2021)
  • Organisational management and oversight framework; (Title 3 3.3 46.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • All auditors and audit firms must ensure they maintain professional ethics, professional competence, and due care. (Art 21, EU 8th Directive (European SOX))
  • Employees must be obliged to comply with all laws, regulations, and ordinances relevant in the respective environment. For this, they must, of course, be familiarised with the existing information security regulations and simultaneously they must be motivated to comply with these. Moreover, the empl… (§ 6 ¶ 3, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • When designing and planning the security process the organization should perform a rough assessment of the value of the information, business processes, and specialized tasks. (3.2 Bullet 2, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • The Board of Directors must ensure that the organization has established guidelines for the ethical conduct of individuals interacting with the organization. (¶ III.3.1.6, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • A firm must conduct its business with due skill, care and diligence. (2.1.1 Principle 2 Skill, care and diligence, Principles for Businesses)
  • The Board should ensure, on an annual basis, that the organization's internal controls are effective. (§ C.2.1, Financial Reporting Council, Combined Code on Corporate Governance, June 2008)
  • The Board of Directors and senior management should promote a positive culture through actions and words. (¶ 11, ¶ 32, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • The Board should set the ethical tone of the organization. (§ VI.C, OECD Principles of Corporate Governance, 2004)
  • Define the elements of a control environment for IT, aligned with the enterprise's management philosophy and operating style. These elements should include expectations/requirements regarding delivery of value from IT investments, appetite for risk, integrity, ethical values, staff competence, accou… (PO6.1 IT Policy and Control Environment, CobiT, Version 4.1)
  • Demonstrate genuine support for policies, procedures and standards to ensure stakeholders understand leadership commitment to the them. (OCEG GRC Capability Model, v. 3.0, P2.5 Champion Policies, OCEG GRC Capability Model, v 3.0)
  • The organization demonstrates a commitment to integrity and ethical values. (§ 3 Principle 1 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • The board of directors and management at all levels of the entity demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. (§ 3 Principle 1 Points of Focus: Sets the Tone at the Top, COSO Internal Control - Integrated Framework (2013))
  • The board of directors retains oversight responsibility for management’s design, implementation, and conduct of internal control: – Control Environment — Establishing integrity and ethical values, oversight structures, authority and responsibility, expectations of competence, and accountabilit… (§ 3 Principle 2 Points of Focus: Provides Oversight for the System of Internal Controls, COSO Internal Control - Integrated Framework (2013))
  • Management should ensure business continuity is embedded in the organization. Business continuity management should be built, embedded, and promoted in the organization to ensure it becomes part of the core values and effective management of the organization. A positive business continuity managemen… (§ 5.4.1, § 10.1, BS 25999-1, Business continuity management. Code of practice, 2006)
  • Top management must establish and demonstrate its commitment to the business continuity management policy. To ensure business continuity management develops into a part of the organization's core values and effective management, it must enhance, raise, and maintain awareness among all personnel via … (§ 3.2.2.1, § 3.3, BS 25999-2, Business continuity management. Specification, 2007)
  • Top management should create a tone that motivates the need for a culture of change management and should declare that the only acceptable number of unauthorized changes is zero. (§ 1.4, IIA Global Technology Audit Guide (GTAG) 2:Change and Patch Management Controls: Critical for Organizational Success)
  • The top of the organization should set a strong tone to design, build, and operate IT systems with integrity, communicate the culture, oversee developing and deploying policies and procedures, and assessing performance. (§ 3.1, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The Board of Directors and top management should provide governance and oversight in order to set a tone and control how privacy risks are addressed by the organization. (§ 2.2 (Privacy Controls) ¶ 1, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Senior management should make a commitment to the identity and access management (IAM) process in order for the organization to support the appropriate tone of the IAM. (§ 4.1.1 ¶ 3, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • The organization must build, promote, and embed an organizational resilience management culture in the organization that makes the management culture becomes a part of the organization's core values and governance and stakeholders aware of the organizational resilience management policy, along with … (§ 4.4.2 ¶ 4, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organization should have management support to implement an effective sensitive information protection system. The organization should ensure all management levels and employees understand the security goals by establishing a well-defined organizational strategy and communications program. The o… (Pg 1-I-6, Pg 15-V-2, Revised Volume 1 Pg 3-I-9, Revised Volume 1 Pg 3-I-10, Protection of Assets Manual, ASIS International)
  • The organization's governing body (e.g., board of directors or equivalent) should treat Information Security as a critical business issue. (SG.01.01.02a, The Standard of Good Practice for Information Security)
  • The information security governance framework should address the need to promote a security positive control environment. (SG.01.01.04f, The Standard of Good Practice for Information Security)
  • The high-level working group, committee, or equivalent body should support the Chief Information Security Officer (or equivalent) in establishing the organization's overall approach to Information Security by emphasizing the importance of Information Security to the organization. (SG.01.02.06c, The Standard of Good Practice for Information Security)
  • The organization should be supported by an information security function (or equivalent), which has responsibility for promoting good practice in Information Security throughout the organization. (CF.01.02.01-1, The Standard of Good Practice for Information Security)
  • The organization's governing body (e.g., board of directors or equivalent) should treat Information Security as a critical business issue. (SG.01.01.02a, The Standard of Good Practice for Information Security, 2013)
  • The information security governance framework should address the need to promote a security positive control environment. (SG.01.01.04f, The Standard of Good Practice for Information Security, 2013)
  • The organization should be supported by an information security function (or equivalent), which has responsibility for promoting good practice in Information Security throughout the organization. (CF.01.02.01-1, The Standard of Good Practice for Information Security, 2013)
  • The high-level working group, committee, or equivalent body should ensure the ongoing effectiveness of Information Security arrangements by promoting resilience against the potential and actual high business impacts of major incidents, such as those typically associated with targeted cyber attacks. (SG.01.02.07f, The Standard of Good Practice for Information Security, 2013)
  • The high-level working group, committee, or equivalent body should support the Chief Information Security Officer (or equivalent) in establishing the organization's overall approach to Information Security by emphasizing the importance of Information Security to the organization. (SG.01.02.06d, The Standard of Good Practice for Information Security, 2013)
  • Executive and line management shall take formal action to support information security through clearly-documented direction and commitment, and shall ensure the action has been assigned. (GRM-05, Cloud Controls Matrix, v3.0)
  • Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way… (CIS Control 16: Safeguard 16.9 Train Developers in Application Security Concepts and Secure Coding, CIS Controls, V8)
  • The organization shall maintain the safety, effectiveness, and data and systems security of the medical Information Technology network during its entire lifecycle. (§ 4.1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • Top management shall provide evidence that it is committed to developing and implementing a quality management system and maintaining its effectiveness by communicating the importance of meeting regulatory, statutory, and customer requirements; establishing a quality policy; establishing quality obj… (§ 5.1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • Top management shall ensure qualified personnel have been assigned to risk management. (§ 3.2, ISO 14971:2007 Medical devices -- Application of risk management to medical devices, 2007)
  • encouraging employees to make suggestions that facilitate continual improvement in compliance performance; (§ 7.3.2.2 ¶ 1 e), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The governing body, management and the compliance function should ensure that they are effectively informed on the performance of the organization's compliance management system and of its continuing adequacy, including all relevant noncompliances, in a timely manner and actively promote the princip… (§ 9.1.7 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Top management shall provide evidence of its commitment to plan, establish, implement, operate, monitor, review, maintain, and improve the service management system and the services. (§ 4.1.1 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall implement and operate the service management system by managing the service management processes. (§ 4.5.3 ¶ 1(e), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Persons in top management and other relevant management roles throughout the organization shall demonstrate leadership with respect to the BCMS. (§ 5.1 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • - ensuring that policies and objectives are established for the business continuity management system and are compatible with the strategic direction of the organization, - ensuring the integration of the business continuity management system requirements into the organization’s business processes… (§ 5.2 ¶ 1, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization by - defining the criteria for accepting risks and the acceptable levels of risk, - actively engaging in exercising and testing, - ensuring that internal aud… (§ 5.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Top management shall demonstrate leadership and commitment with respect to the information security management system by: (§ 5.1 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • directing and supporting persons to contribute to the effectiveness of the information security management system; (§ 5.1 ¶ 1 f), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • have an information security management forum (ISMF) in place to ensure that there is clear direction and visible management support for security initiatives involving the security of health information, as described in B.3 and B.4. (§ 6.1.1 Health-specific control ¶ 1(b), ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • § 4.4.2: The organization should ensure the risk management process is applied at all relevant levels and functions through a risk management plan that is part of the organization's practices and processes. § 5.3.3: The organization should align its risk management process with its culture, struct… (§ 4.4.2, § 5.3.3, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. (§ 6.7.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Ethical and effective leadership should be demonstrated in three areas: (§ 6.7.3.1 ¶ 4, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should demonstrate effective leadership across all areas. (§ 6.7.3.2 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should lead the organization ethically and effectively and ensure such leadership throughout the organization. (Table 1 Column 4 Row 8, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • In order to lead ethically and effectively, the governing body should lead by example to create a positive culture, set the tone for others, and engender trust and cooperation among the organization's stakeholders. (§ 6.7.3.1 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • provides increased certainty, which in turn, creates reputational value. (§ 6.7.3.3 ¶ 3 Bullet 5, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should, in particular, ensure that the organization recognizes data as a strategic resource and ensure that the organization uses data responsibly and ethically. (§ 6.8.3.1 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • data are used ethically; (§ 6.8.3.4 ¶ 1 Bullet 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; (§ 6.9.3.2 ¶ 2 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • assists in reconciling strategic dilemmas by creating organizational alignment through the integration of opposites; (§ 6.7.3.3 ¶ 3 Bullet 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • provides the individuals of an organization with a collective sense of belonging; (§ 6.7.3.3 ¶ 3 Bullet 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • developing, leading and promoting a culture in the organization that supports the intended outcomes of the OH&S management system; (§ 5.1 ¶ 1 j), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • Top management shall demonstrate leadership and commitment with respect to the quality management system by: (5.1.1 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Top management shall demonstrate leadership and commitment with respect to customer focus by ensuring that: (5.1.2 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • directing and supporting persons to contribute to the effectiveness of the IT asset management system; (Section 5.1 ¶ 1 bullet 6, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Top management shall demonstrate leadership and commitment with respect to the SMS by: (§ 5.1 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • ensuring that what constitutes value for the organization and its customers is determined; (§ 5.1 ¶ 1(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The entity demonstrates a commitment to integrity and ethical values. (CC1.1 ¶ 1 COSO Principle 1:, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. (CC1.1 ¶ 3 Bullet 1 Sets the Tone at the Top, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Maintaining strong leadership: The board and management places importance on creating the right risk awareness and tone throughout the entity. Culture and, therefore, risk awareness cannot be changed from second-line team or department functions alone; the organization's leadership must be the real … (Embracing a Risk-Aware Culture ¶ 1 Bullet 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • To promote a habit of protecting personal data, events should be organized in the Federal District to promote professionalization of public servants and the required security measures at each public entity for the custody of personal data. (Art 25, The Personal Data Protection Law for the Federal District (Mexico City))
  • The Chief Executive Officer should set the tone of the organization and influence the environmental factors. (Pg 93, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • The service auditor should consider reputation and integrity of management and the significant principal owners or shareholders before accepting an engagement. (¶ 2.04 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should consider the likelihood that associating with the organization will expose the service auditor to financial loss, undue risk of damage to professional reputation, or expose report users to financial loss or misinformation before accepting an engagement. (¶ 2.04 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The organization's control environment defines how the organization functions by influencing the employee's consciousness. The auditor should evaluate how the following control environment elements are used in the organization's processes: ethical and integrity values; employee competence levels; ma… (§ 314.67 thru § 314.69, § 314.75, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • The entity demonstrates a commitment to integrity and ethical values. (CC1.1 COSO Principle 1:, Trust Services Criteria)
  • The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. (CC1.1 Sets the Tone at the Top, Trust Services Criteria)
  • The entity demonstrates a commitment to integrity and ethical values. (CC1.1 ¶ 1 COSO Principle 1:, Trust Services Criteria, (includes March 2020 updates))
  • The board of directors and management, at all levels, demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control. (CC1.1 ¶ 3 Bullet 1 Sets the Tone at the Top, Trust Services Criteria, (includes March 2020 updates))
  • The organization must have a robust organization-wide security program that is fully funded, practiced by senior management, and staffed by trained and knowledgeable individuals. (§ 2.2 ¶ 3, CMS Business Partners Systems Security Manual, Rev. 10)
  • Management with executive responsibility shall establish objectives and policies for, and commitment to, quality. They shall ensure quality policies are understood, implemented, and maintained at all organizational levels. (§ 820.20(a), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • The local agency security officer shall support policy compliance and verify that the criminal justice information services systems agency Information Security Officer is notified of security incidents promptly. (§ 3.2.9(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Determine whether management has data governance and data management processes that include defining responsibility and processes for governing data, including the identification, management, and oversight of any metadata, and promoting a culture that takes a data-centric approach. (App A Objective 3:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should promote a culture that takes a data-centric approach for AIO functions and define responsibility and controls as part of data governance and data management processes. (III.A Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Board sets the tone and direction for the institution's use of technology. (App A Objective 2:1 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine the effectiveness of management's communication and monitoring of IT policy compliance across the institution. (App A Objective 13:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • (Pg 19, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Senior management, most likely the CIO, must support the contingency program and be involved in the development of the policy for it to be successful. (§ 3.1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • The C-SCRM Strategy and Implementation Plan should address the acquisition security-relevant foundational elements necessary to implement a C-SCRM program. To support the strategy, enterprise leaders should promote the value and importance of C-SCRM within acquisitions and ensure that sufficient, de… (3.1.1. ¶ 3, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • (§ 3.1.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • The organization must manage the security state of systems through a security authorization process. (App G § PM-10.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization's management should develop activities to meet the organization's objectives. Management's operating style and philosophy should be such that effective controls are developed and maintained. (Pg 3, Pg 24, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • The organization's control environment should be created to ensure support from management and management's leadership ability in setting the tone of the organization. When assessing the control environment, the following elements should be considered: human resources policies; management philosophy… (§ II.A, App A § III.B.1, OMB Circular A-123, Management's Responsibility for Internal Control)
  • Management should establish the corporate culture for the organization; create and maintain high ethical standards and a culture of honesty; and establish controls to prevent, deter, and detect fraud. The control environment requires Board of Directors or audit committee participation and consists o… (¶ 25, ¶ 53, ¶ 114, PCAOB Auditing Standard No. 2)
  • The auditor should evaluate management's philosophy and if its operating style promotes effective internal control over financial reporting and evaluate if management promotes sound integrity and ethical values. (¶ 25, PCAOB Auditing Standard No. 5)