Back

Define and assign the Chief Security Officer's roles and responsibilities.


CONTROL ID
06431
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain high level operational roles and responsibilities., CC ID: 00806

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The CISO oversees cyber supply chain risk management activities for their organisation. (Security Control: 0731; Revision: 2, Australian Government Information Security Manual, March 2021)
  • The CISO receives and manages a dedicated cyber security budget for their organisation. (Security Control: 0732; Revision: 2, Australian Government Information Security Manual, March 2021)
  • The CISO oversees the management of cyber security personnel within their organisation. (Security Control: 0717; Revision: 2, Australian Government Information Security Manual, March 2021)
  • The CISO oversees the development and operation of their organisation's cyber security awareness training program. (Security Control: 0735; Revision: 2, Australian Government Information Security Manual, March 2021)
  • The CISO oversees the management of cyber security personnel within their organisation. (Control: ISM-0717; Revision: 2, Australian Government Information Security Manual, June 2023)
  • The CISO oversees the management of cyber security personnel within their organisation. (Control: ISM-0717; Revision: 2, Australian Government Information Security Manual, September 2023)
  • As a rule, each institution shall have its own information security officer function in-house. (II.4.20, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Verify the formal assignment of Information Security to a Chief Security Officer or other security-knowledgeable member of management. (§ 12.5, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Examine the Information Security policies and procedures to verify a Chief Security Officer has been formally assigned. (Testing Procedures § 12.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify the formal assignment of information security to a Chief Security Officer or other security-knowledgeable member of management. (§ 12.5 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Is responsibility for information security formally assigned to a Chief Security Officer or other security knowledgeable member of management? (12.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is responsibility for information security formally assigned to a Chief Security Officer or other security knowledgeable member of management? (12.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is responsibility for information security formally assigned to a Chief Security Officer or other security-knowledgeable member of management? (12.5 (a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is responsibility for information security formally assigned to a Chief Security Officer or other security-knowledgeable member of management? (12.5(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Is responsibility for information security formally assigned to a Chief Security Officer or other security-knowledgable member of management? (PCI DSS Question 12.5(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is responsibility for information security formally assigned to a Chief Security Officer or other security-knowledgable member of management? (PCI DSS Question 12.5(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The Chief Security Officer is responsible for incidents and breaches that do not involve personal information. (Table Ref 1.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Assume ultimate responsibility for managing the security of CJIS systems within their state and/or agency. (§ 3.2.2 ¶ 1(2)(h), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Defined roles and responsibilities for key IT positions, including executive management (CEO and COO, and often CIO or CTO), and CISO. (App A Objective 2:11 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • A CISO or information security officer position responsible for the management and mitigation of information security risks. (App A Objective 2:11 e., FFIEC Information Technology Examination Handbook - Management, November 2015)