Back

Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program.


CONTROL ID
06492
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Leadership and high level objectives, CC ID: 00597

This Control has the following implementation support Control(s):
  • Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security., CC ID: 06493


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A critical element in accepting responsibility by management is that the management is informed about the possible risks and consequences of insufficient Information Security. (3.1 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Does the policy management software provide a policy management component related to policy compliance and regulatory compliance? (Table Row II.19, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Interview responsible personnel and verify they are familiar with and performing their designated PCI DSS compliance responsibilities. (A3.1.3.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners. (§ 3 Principle 1 Points of Focus: Establishes Standards of Conduct, COSO Internal Control - Integrated Framework (2013))
  • The security awareness program should be delivered as part of an on-going information security awareness program. (CF.02.02.01d, The Standard of Good Practice for Information Security)
  • The security awareness program should be delivered as part of an on-going information security awareness program. (CF.02.02.01d, The Standard of Good Practice for Information Security, 2013)
  • the implications of not conforming with the environmental management system requirements, including not fulfilling the organization's compliance obligations. (§ 7.3 ¶ 1 d), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • directing and supporting persons to contribute to the effectiveness of the compliance management system; (§ 5.1 ¶ 1 g), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • providing or organizing on-going training support for employees to ensure that all relevant employees are trained on a regular basis; (§ 5.3.4 ¶ 2 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • cooperating with and supporting the compliance function and encouraging employees to do the same; (§ 5.3.5 ¶ 1 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • personally complying and being seen to comply with policies, procedures and processes and attending and supporting compliance training activities; (§ 5.3.5 ¶ 1 b), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • developing employee awareness of compliance obligations and directing them to meet training and competence requirements; (§ 5.3.5 ¶ 1 g), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • actively undertaking and encouraging mentoring, coaching and supervising employees to promote compliant behaviour; (§ 5.3.5 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • their role and contribution to the effectiveness of the compliance management system, including the benefits of improved compliance management system performance; (§ 7.3.1 ¶ 1 b), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • encouraging all employees to accept the importance of achieving the compliance objectives for which they are responsible or accountable; (§ 7.3.2.2 ¶ 1 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • change in the compliance obligations, especially in legal or interested parties requirements; (§ 7.2.2 ¶ 5 Bullet 4, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • aligned to the corporate training program and be incorporated into annual training plans; (§ 7.2.2 ¶ 4 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • undertaken at commencement with the organization and be on-going; (§ 7.2.2 ¶ 4 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • their contribution to the effectiveness of the BCMS, including the benefits of improved business continuity management performance, (§ 7.3 ¶ 1 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Governing body members should continuously improve their competency regarding the organization's activities, legal requirements and, more broadly, the organization's context. This improving capability, together with regular reviews of governance practices, should ensure a continually improving gover… (§ 4.3.2 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • monitoring, evaluating and developing the capacities and competencies of those to whom the governing body has delegated; (§ 6.3.3.2.2 ¶ 2 g), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • directing and supporting persons to contribute to the effectiveness of the compliance management system; (§ 5.1.1 ¶ 1 bullet 6, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • developing personnel awareness of compliance obligations and directing them to meet training and competence requirements; (§ 5.3.3 ¶ 1 bullet 6, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • their contribution to the effectiveness of the compliance management system, including the benefits of improved compliance performance; (§ 7.3 ¶ 1 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • within a reasonable period of their employment commencing, personnel receive a copy of, or are provided with access to, the compliance policy and training in relation to that policy; (§ 7.2.2 ¶ 1 b), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • cooperating with and supporting the compliance function and encouraging personnel to do the same; (§ 5.3.3 ¶ 1 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • attending and supporting compliance training activities; (§ 5.3.3 ¶ 1 bullet 5, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Top management shall encourage behaviour that creates and supports compliance. It shall prevent and not tolerate behaviour that compromises compliance. (§ 5.1.2 ¶ 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • all relevant personnel are trained as required; (§ 5.3.2 ¶ 2 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Top management shall encourage behaviour that creates and supports compliance and shall prevent and not tolerate behaviour that compromises compliance. (§ 5.1.2 ¶ 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • that all relevant personnel are trained as required. (§ 5.3.2 ¶ 3 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • attending and supporting compliance training activities; (§ 5.3.3 ¶ 1 bullet 5, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • developing personnel awareness of compliance obligations and directing them to meet training and competence requirements; (§ 5.3.3 ¶ 1 bullet 6, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • within a reasonable period of their employment commencing, personnel receive a copy of, or are provided with access to, the compliance policy and training in relation to that policy; (§ 7.2.2 ¶ 1 b), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • directing and supporting persons to contribute to the effectiveness of the compliance management system; (§ 5.1.1 ¶ 1 bullet 6, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • their contribution to the effectiveness of the compliance management system, including the benefits of improved compliance performance; (§ 7.3 ¶ 1 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • cooperating with and supporting the compliance function and encouraging personnel to do the same; (§ 5.3.3 ¶ 1 bullet 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. (CC1.1 ¶ 3 Bullet 2 Establishes Standards of Conduct, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Encouraging risk awareness across the entity: Management continually sends messages to personnel that managing risk is a part of their daily responsibilities, and that it is not only valued but also critical to the entity's success and survival. (Embracing a Risk-Aware Culture ¶ 1 Bullet 7, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization identifies and addresses the effect of industry requirement changes on privacy requirements. (Generally Accepted Privacy Principles and Criteria § 1.2.11 Bullet 3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should identify, monitor, assess, and address, on an ongoing basis, the effect of industry Requirement changes on privacy requirements. (Table Ref 1.2.11, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should develop, document, approve, and implement an information security program, to include technical, administrative, and physical controls that protect personal information from unauthorized access, unauthorized alteration, misuse, loss, unauthorized destruction, and unauthorized… (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity's standards of conduct and understood at all levels of the organization and by outsourced service providers and business partners. (CC1.1 Establishes Standards of Conduct, Trust Services Criteria)
  • The expectations of the board of directors and senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners. (CC1.1 ¶ 3 Bullet 2 Establishes Standards of Conduct, Trust Services Criteria, (includes March 2020 updates))
  • Enabling appropriate management training on AIO to carry out its responsibilities and manage risk. (App A Objective 2:3d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should promote effective IT governance by doing the following: - Establishing an information security culture that promotes an effective information security program and the role of all employees in protecting the institution's information and systems. - Clearly defining and communicati… (I Governance of the Information Security Program, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Does the Credit Union Information Technology policy include regulatory compliance of website content, e-forms, e-statements, applications, etc.? (IT - Policy Checklist Q 16, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The board of directors should ensure that an effective process has been implemented for managing the risks related to third party relationships in a way that is consistent with strategic goals, risk appetite, and organizational objectives. ("Board of Directors" Bullet 1, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)