Define and assign the Chief Executive's Information Assurance roles and responsibilities.

Back

CONTROL ID
06089

CONTROL TYPE
Establish Roles

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Define the Information Assurance strategic roles and responsibilities., CC ID: 00608

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

The Chief Executive Officer (CEO) has overall strategic and operational control and must consider IT during all aspects of his/her role. Other responsibilities of the CEO include defining corporate objectives and performance measures; understanding and approving IT short-term and long-range strategi… (§ 7.2.1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] (B. R3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
Each Responsible Entity shall identify a CIP Senior Manager by name and document any change within 30 calendar days of the change. [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] (B. R3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
Review the roles and responsibilities of all levels of management, including executive management, CIO or CTO, CISO, IT line management, and IT business unit management, to ensure that there is a clear delineation between management and oversight functions and operational duties. (App A Objective 2:9, FFIEC Information Technology Examination Handbook - Management, November 2015)