Back

Assign ownership of the internal control framework to the appropriate organizational role.


CONTROL ID
06437
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When creating the security policy implementers should summon a development group for the security policy. (3.3 bullet 3, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Person responsible for the process / specialised department (§ 8.1.2 ¶ 4 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Supervise information security governance framework. (SG.01.01.01-2, The Standard of Good Practice for Information Security)
  • The information security policy should require that owners (typically the people in charge of business processes that are dependent on information and systems) are appointed for all critical systems. (CF.01.01.03b-2, The Standard of Good Practice for Information Security)
  • The security profile shall contain important details about business processes and information, including ownership and accountability for critical and sensitive information (i.e., the person who is ultimately responsible inside the local environment for the protection of each type of critical and se… (CF.12.01.04c, The Standard of Good Practice for Information Security)
  • The information security policy should require that owners (typically the people in charge of business processes that are dependent on information and systems) are appointed for all critical systems. (CF.01.01.03b-2, The Standard of Good Practice for Information Security, 2013)
  • The security profile shall contain important details about business processes and information, including ownership and accountability for critical and sensitive information (i.e., the person who is ultimately responsible inside the local environment for the protection of each type of critical and se… (CF.12.01.04c, The Standard of Good Practice for Information Security, 2013)
  • The organization's governing body (e.g., members of the board or equivalent) should establish, direct, monitor, and communicate an information security governance framework. (SG.01.01.01, The Standard of Good Practice for Information Security, 2013)
  • Management shall take the service requirements, regulatory requirements, statutory requirements, and contractual obligations into consideration when approving the information security policy. (§ 6.6.1 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The responsible entity shall assign a single senior manager with overall responsibility and authority for leading and managing the entity's implementation of, and adherence to, standards cip-002-3 through cip-009-3. (§ R2, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
  • Is there an information security policy that has an owner to maintain and review the policy? (§ B.1, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • developing and overseeing the implementation of policies, principles, standards, and guidelines on information security, including through ensuring timely agency adoption of and compliance with standards promulgated under section 11331 of title 40; (§ 3553(a)(1), Federal Information Security Modernization Act of 2014)
  • developing and maintaining information security policies, procedures, and control techniques to address all applicable requirements, including those issued under section 3553 of this title and section 11331 of title 40; (§ 3554(a)(3)(C), Federal Information Security Modernization Act of 2014)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., FedRAMP Security Controls High Baseline, Version 5)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Designate an individual responsible for coordinating and monitoring day-to-day compliance; and (§ 748.2 (c)(3), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization must develop and disseminate an information security program plan that is approved by senior management. (App G § PM-1.a Bullet 4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization develops a security plan for the information system that is reviewed and approved by the authorizing official or designated representative prior to plan implementation. (PL-2a.9., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that is reviewed and approved by the authorizing official or designated representative prior to plan implementation. (PL-2a.9., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that is reviewed and approved by the authorizing official or designated representative prior to plan implementation. (PL-2a.9., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that is reviewed and approved by the authorizing official or designated representative prior to plan implementation. (PL-2a.9., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Accepts the use of common controls inherited by the system; and (CA-6c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)