Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security.

Back

CONTROL ID
06493

CONTROL TYPE
Behavior

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program., CC ID: 06492

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

IRAP assessors are expected to be active participants within the IRAP community to provide consistency and uplift of IRAP assessments. To achieve this IRAP assessors are expected to: (IRAP Membership Maintaining IRAP assessor membership IRAP community ¶ 1, IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
Local information security coordinators shall have a channel of communication with the information security function (e.g., via regular reporting of duties and results of activities). (CF.12.02.03f, The Standard of Good Practice for Information Security)
Local information security coordinators should meet regularly with business owners (i.e., people in charge of particular business applications or processes) to review the status of Information Security in business applications and systems. (CF.12.02.07-1, The Standard of Good Practice for Information Security)
Security-positive behavior should be encouraged by incorporating Information Security into regular day-to-day activities (e.g., by considering security requirements in planning decisions and budgeting activities, and including the consideration of information risk in business decisions, meetings, an… (CF.02.02.04d, The Standard of Good Practice for Information Security)
Local information security coordinators shall have a channel of communication with the information security function (e.g., via regular reporting of duties and results of activities). (CF.12.02.03f, The Standard of Good Practice for Information Security, 2013)
Local information security coordinators should meet regularly with business owners (i.e., people in charge of particular business applications or processes) to review the status of Information Security in business applications and systems. (CF.12.02.07-1, The Standard of Good Practice for Information Security, 2013)
Security-positive behavior should be encouraged by incorporating Information Security into regular day-to-day activities (e.g., by considering security requirements in planning decisions and budgeting activities, and including the consideration of information risk in business decisions, meetings, an… (CF.02.02.05d, The Standard of Good Practice for Information Security, 2013)
supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility. (§ 5.1 ¶ 1 h), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
Promote a culture that recognizes that staff at all levels have important responsibilities in ensuring the organization's cyber resilience; and (PR.AT-4.1(2), CRI Profile, v1.2)
Promote a culture that recognizes that staff at all levels have important responsibilities in ensuring the organization's cyber resilience; and (PR.AT-4.1(2), Financial Services Sector Cybersecurity Profile, Version 1.0.0)
Verify that personnel assigned to the engagement are familiar with the applicable professional organizations, such as aicpa and the Financial Accounting Standards Board. (Ques. AT410, Reporting on Controls at a Service Organization Checklist, PRP Â§21,100)
Determine whether management promotes effective governance of the information security program through a strong information security culture, defined information security responsibilities and accountability, and adequate resources to support the program. (App A Objective 2, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Maintain relationships with internal and external partners involved in cyber planning or related areas. (T0739, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Obtain upper management or authorizing official commitment to secure development, and convey that commitment to all with development-related roles and responsibilities. (PO.2.3, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
Maintain relationships with internal and external partners involved in cyber planning or related areas. (T0739, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
INTEGRATE FEDERAL CYBERSECURITY CENTERS (STRATEGIC OBJECTIVE 1.3, National Cybersecurity Strategy)
INTEGRATE FEDERAL CYBERSECURITY CENTERS (STRATEGIC OBJECTIVE 1.3, National Cybersecurity Strategy (Condensed))