Back

Define and assign the Chief of Risk's Information Assurance roles and responsibilities.


CONTROL ID
06092
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define the Information Assurance strategic roles and responsibilities., CC ID: 00608

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In APRA's view, the IT security risk management framework would encapsulate the expectations of the Board and senior management, have a designated owner(s), and outline the roles and responsibilities of staff to ensure the achievement of effective IT security risk management outcomes. The framework … (¶ 25, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The senior information risk owner (SIRO) must be an executive. The SIRO is responsible for the following: • Leading and fostering a culture that protects, values, and uses information for the public good. This can be accomplished by ensuring the department has developed a plan to achieve and moni… (Senior Information Risk Owner, Guidance on Mandatory Roles (AO, SIRO, IAO), March 2009)
  • Content ¶ 5: The senior information risk owner (SIRO) must ensure any discrepancies are recognized, recorded, and addressed at the quarterly risk assessment review. Content ¶ 6: The senior information risk owner (SIRO) must ensure the organization develops and implements an action plan based on th… (Content ¶ 5, Content ¶ 6, Guidance on the scope of Quarterly Risk Assessments, March 2009)
  • The Chief Risk Officer (CRO) manages risks at all organizational levels. With the help of the CISO, the CRO will consider IT risks, to include analyzing and assessing IT risk exposures; assessing IT events; analyzing and assessing business risks; and monitoring, supporting, and acting as a mentor fo… (§ 7.2.7, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Top management and oversight bodies, where applicable, should ensure that the authorities, responsibilities and accountabilities for relevant roles with respect to risk management are assigned and communicated at all levels of the organization, and should: - emphasize that risk management is a core … (§ 5.4.3 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)