Back

Disseminate and communicate information about risks to all interested personnel and affected parties.


CONTROL ID
06718
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk assessment awareness and training program., CC ID: 06453

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • proper disclosure to customers about the risks and limitations of the service should also be made. (§ 6.3.1(v), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Clients may choose to opt out from "trade execution" notifications only. Under such circumstances, adequate risk disclosures should be provided by the licensed or registered person to the client and an acknowledgement should be executed by the client confirming that the client understands the risks … (1.3. ¶ 3, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • The Board of Directors is ultimately responsible for information security. Senior Management is responsible for understanding risks to the bank to ensure that they are adequately addressed from a governance perspective. To do so effectively requires managing risks, including information security ris… (Boards of Directors/Senior Management ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • communicating information pertaining to risks arising from its material outsourcing arrangements to the board in a timely manner. (5.2.3 (h), Guidelines on Outsourcing)
  • Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur. (Security Control: 0230; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information. (Security Control: 0821; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur. (Control: ISM-0230; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information. (Control: ISM-0821; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Personnel are advised of security risks posed by non-secure telephone systems in areas where sensitive or classified conversations can occur. (Control: ISM-0230; Revision: 3, Australian Government Information Security Manual, September 2023)
  • Personnel are advised of security risks associated with posting personal information to online services and are encouraged to use any available privacy settings to restrict who can view such information. (Control: ISM-0821; Revision: 3, Australian Government Information Security Manual, September 2023)
  • roles and responsibilities — clearly outline for management how the Board expects to be engaged, including delegation of responsibilities, escalation of risks, issues and reporting requirements (including schedule, format, scope and content). Refer to Attachment H for common examples of the types … (8(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • PSPs should establish and implement processes to enhance PSUs' awareness of the security risks linked to the payment services by providing PSUs with assistance and guidance. (3.8 92, Final Report EBA Guidelines on ICT and security risk management)
  • the institution has an ICT risk management reporting in place that provides timely information to senior management and the management body, and which allows senior management and/or the management body to assess and monitor whether the institution ́s ICT risk mitigation plans and measures are cons… (Title 3 3.3.1 49.d, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The risk management measures referred to in paragraph 2, point (d) shall be such that any residual risk associated with each hazard as well as the overall residual risk of the high-risk AI systems is judged acceptable, provided that the high-risk AI system is used in accordance with its intended pur… (Article 9 4. ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • provision of adequate information pursuant to Article 13, in particular as regards the risks referred to in paragraph 2, point (b) of this Article, and, where appropriate, training to users. (Article 9 4. ¶ 2(c), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Users shall monitor the operation of the high-risk AI system on the basis of the instructions of use. When they have reasons to consider that the use in accordance with the instructions of use may result in the AI system presenting a risk within the meaning of Article 65(1) they shall inform the pro… (Article 29 4. ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • EBA shall promote cooperation, including the sharing of information, in the area of operational and security risks associated with payment services among the competent authorities, and between the competent authorities and the ECB and, where relevant, the European Union Agency for Network and Inform… (Art 95(5), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • providing early warning, alerts, announcements and dissemination of information to relevant stakeholders about risks and incidents; (ANNEX I ¶ 1(2)(a)(ii), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • a policy framework for enhanced coordination between the competent authorities under this Directive and the competent authorities under Directive (EU) 2022/2557 for the purpose of information sharing on risks, cyber threats, and incidents as well as on non-cyber risks, threats and incidents and the … (Article 7 1(g), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • Member States shall ensure that their competent authorities under this Directive and their competent authorities under Directive (EU) 2022/2557 cooperate and exchange information on a regular basis with regard to the identification of critical entities, on risks, cyber threats, and incidents as well… (Article 13 5., DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • In accordance with their ICT risk management framework, financial entities shall minimise the impact of ICT risk by deploying appropriate strategies, policies, procedures, ICT protocols and tools. They shall provide complete and updated information on ICT risk and on their ICT risk management framew… (Art. 6.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • As part of the ICT risk management framework referred to in Article 6(1), financial entities shall have in place crisis communication plans enabling a responsible disclosure of, at least, major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public, as appropri… (Art. 14.1., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Note: Every organisation should coordinate the descriptions of the categories in particular with the specialised departments so that all employees can easily understand their meaning. If a specific risk is assessed by two different employees of an organisation, the same result should be obtained. (§ 5.1 ¶ 6, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Your organisation has established roles and responsibilities for the security of networks and information systems at all levels, with clear and well-understood channels for communicating and escalating risks. (A1.b ¶ 1, NCSC CAF guidance, 3.1)
  • Are intelligence reports disseminated to the Information Systems group? (Table Row III.2, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Processes are in place to communicate relevant and timely information to external parties including shareholders, partners, owners, regulators, customers, and financial analysts and other external parties. (§ 3 Principle 15 Points of Focus: Communicates to External Parties, COSO Internal Control - Integrated Framework (2013))
  • The high-level working group, committee, or equivalent body should ensure the ongoing effectiveness of Information Security arrangements by reporting to stakeholders about risks identified. (SG.01.02.07e-1, The Standard of Good Practice for Information Security)
  • Security awareness messages should cover details about information and related threats, including the definition of the information lifecycle (i.e., creation, processing, storage, transmission, and destruction) and the risks of handling the different formats of information at different stages of its… (CF.02.03.02a, The Standard of Good Practice for Information Security)
  • Security awareness messages should cover details about information and related threats, including the difference between critical information, which needs to be available and have integrity (e.g., product prices / exchange rates, manufacturing information, and medical records) and sensitive informat… (CF.02.03.02b, The Standard of Good Practice for Information Security)
  • Security awareness messages should cover details about information and related threats, including the threats associated with users, the technology they use and the physical location(s) of the local environment (e.g., information leakage as a result of blogging, social engineering attacks, and corru… (CF.02.03.02c, The Standard of Good Practice for Information Security)
  • Education / training should be given to provide staff with the skills they need to understand information risk (i.e., concepts of business impact, likelihood, and how they relate to each other). (CF.02.04.01a, The Standard of Good Practice for Information Security)
  • Critical infrastructure security controls should include methods of sharing information about information risks (e.g., threats and vulnerabilities) with selected internal staff and appropriate external parties (e.g., suppliers, service providers, and government agencies). (CF.08.03.07b, The Standard of Good Practice for Information Security)
  • Information risk reports should be presented to or made available to key decision-makers (including executive management, members of a high-level working group, and the organization's governing body (e.g., members of the board or equivalent)). (SI.02.02.03, The Standard of Good Practice for Information Security)
  • Information risk reports should cover a broad range of information risk-based activities, which include identification of critical or sensitive information and supporting Information Systems. (SI.02.02.05a, The Standard of Good Practice for Information Security)
  • Information risk reports should cover a broad range of information risk-based activities, which include results of security assurance and security audit initiatives being reported to external parties (e.g., auditors and regulators), such as the international standard on assurance engagements 3402 or… (SI.02.02.05b, The Standard of Good Practice for Information Security)
  • Security awareness messages should cover details about information and related threats, including the definition of the information lifecycle (i.e., creation, processing, storage, transmission, and destruction) and the risks of handling the different formats of information at different stages of its… (CF.02.03.02a, The Standard of Good Practice for Information Security, 2013)
  • Security awareness messages should cover details about information and related threats, including the difference between critical information, which needs to be available and have integrity (e.g., product prices / exchange rates, manufacturing information, and medical records) and sensitive informat… (CF.02.03.02b, The Standard of Good Practice for Information Security, 2013)
  • Security awareness messages should cover details about information and related threats, including the threats associated with users, the technology they use and the physical location(s) of the local environment (e.g., information leakage as a result of blogging, social engineering attacks, and corru… (CF.02.03.02c, The Standard of Good Practice for Information Security, 2013)
  • Education / training should be given to provide staff with the skills they need to understand information risk (i.e., concepts of business impact, likelihood, and how they relate to each other). (CF.02.04.01a, The Standard of Good Practice for Information Security, 2013)
  • Critical infrastructure security controls should include methods of sharing information about information risks (e.g., threats and vulnerabilities) with selected internal staff and appropriate external parties (e.g., suppliers, service providers, and government agencies). (CF.08.03.07b, The Standard of Good Practice for Information Security, 2013)
  • Information risk reports should be presented to or made available to key decision-makers (including executive management, members of a high-level working group, and the organization's governing body (e.g., members of the board or equivalent)). (SI.02.02.03, The Standard of Good Practice for Information Security, 2013)
  • Information risk reports should cover a broad range of information risk-based activities, which include identification of critical or sensitive information and supporting Information Systems. (SI.02.02.05a, The Standard of Good Practice for Information Security, 2013)
  • Information risk reports should cover a broad range of information risk-based activities, which include results of security assurance and security audit initiatives being reported to external parties (e.g., auditors and regulators), such as the international standard on assurance engagements 3402 or… (SI.02.02.05b, The Standard of Good Practice for Information Security, 2013)
  • The high-level working group, committee, or equivalent body should ensure the ongoing effectiveness of Information Security arrangements by reporting to stakeholders about risks identified and progress of information security-related projects and initiatives). (SG.01.02.07g, The Standard of Good Practice for Information Security, 2013)
  • Verify that the use of weak authenticators (such as SMS and email) is limited to secondary verification and transaction approval and not as a replacement for more secure authentication methods. Verify that stronger methods are offered before weak methods, users are aware of the risks, or that proper… (2.2.2, Application Security Verification Standard 4.0.3, 4.0.3)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to inventory, document, and maintain data flows for data that is resident (permanently or temporarily) within the service's geographically distributed (physical and virtual) applicatio… (DSI-02, Cloud Controls Matrix, v3.0)
  • The Risk Management plan shall include the medical Information Technology network description, including a list of shareholders to notify about risks. (§ 4.3.5 ¶ 1(a)(1), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall communicate the risk profile to stakeholders periodically. (§ 6.3.4.3(b)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • identifying and communicating compliance risks in their operations; (§ 5.3.5 ¶ 1 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization shall decide, using life safety as the first priority and in consultation with relevant interested parties, whether to communicate externally about its significant risks and impacts and document its decision. If the decision is to communicate then the organization shall establish an… (§ 8.4.2 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Decision makers and stakeholders should exchange and/or share information about risks. Risk communications should include, but not be limited to, the presence, attributes, form, probability, severity, response, and acceptability of risks. Risk communications should achieve the following: providing a… (§ 11, ISO 27005 Information technology -- Security techniques -- Information security risk management, 2011)
  • Decision makers and other stakeholders should be aware of the nature and extent of the remaining risk after risk treatment. The remaining risk should be documented and subjected to monitoring, review and, where appropriate, further treatment. (§ 6.5.2 ¶ 8, ISO 31000 Risk management - Guidelines, 2018)
  • Top management and oversight bodies, where applicable, should demonstrate and articulate their continual commitment to risk management through a policy, a statement or other forms that clearly convey an organization's objectives and commitment to risk management. The commitment should include, but i… (§ 5.4.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • explain and justify the organization's actions, inactions, omissions, risk and dependencies, including those of the governing body; (§ 6.5.3.2 ¶ 1 g), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that when the governing body makes decisions, it assesses, treats, monitors, and communicates the nature and extent of the risks faced; (§ 6.9.3.1 ¶ 2 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • effective risk reporting and communication of risk are practised and promoted throughout the organization; (§ 6.9.3.4 ¶ 1 h), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; (§ 6.4.3.3 ¶ 2 Bullet 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the risks posed to the organization, and the organization's value generation model, by the natural environmental, social and economic systems within which it operates and by the governing body's decisions; (§ 6.11.3.4 ¶ 2 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the risks posed to the natural environmental, social and economic systems by the organization, by the organization's value generation model and by the governing body's decisions. (§ 6.11.3.4 ¶ 2 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • identifying and communicating compliance risks in their operations; (§ 5.3.3 ¶ 1 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • hazards, OH&S risks and actions determined that are relevant to them; (§ 7.3 ¶ 1 e), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • identifying and communicating compliance risks in their operations; (§ 5.3.3 ¶ 1 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • their work activities, the associated risks and opportunities and how they relate to each other; and (Section 7.3 ¶ 1 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • plans and results of risk management to interested parties as needed and appropriate, in the identification, analysis, evaluation, and treatment of the risks; (§ 7.4 Guidance ¶ 2(a), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Information about risk should be exchanged and/or shared between the decision-maker and other stakeholders. (§ 11 Action:, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The cloud service provider should make available to the cloud service customer information about the management of technical vulnerabilities that can affect the cloud services provided. (§ 12.6.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The cloud service customer should request information from the cloud service provider about the management of technical vulnerabilities that can affect the cloud services provided. The cloud service customer should identify the technical vulnerabilities it will be responsible to manage, and clearly … (§ 12.6.1 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The governing body should take responsibility for the use of AI, rather than attributing responsibility to the AI system itself. Members of the governing body are responsible for informing themselves about the possibilities and risks raised by using AI systems. Members of the governing body should b… (§ 4.3 ¶ 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Provide robust and timely epidemiological and social science data analysis to continuously inform risk assessment and support operational decision making for the response (Pillar 3 Step 3 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. (CC2.3 ¶ 3 Bullet 1 Communicates to External Parties, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization uses communication channels to support enterprise risk management. (Principle 19: Communicates Risk Information, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Employing a participative management style: Management encourages personnel to participate in decision-making and to discuss risks to the strategy and business objectives. (Embracing a Risk-Aware Culture ¶ 1 Bullet 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Having open and honest discussions about risks facing the entity: Management does not view risk as being negative, and understands that managing risk is critical to achieving the strategy and business objectives. (Embracing a Risk-Aware Culture ¶ 1 Bullet 6, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management provides guidance to personnel so they understand the risks. Management also demonstrates leadership by communicating the expectations of conduct for all aspects of enterprise risk management. Such leadership from the top helps to establish and enforce accountability and a common purpose. (Enforcing Accountability ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management ensuring that information on risk flows throughout the entity (e.g., communicating how decisions are made and how risk is considered as part of decisions). (Enforcing Accountability ¶ 3 Bullet 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Risk appetite is communicated by management, endorsed by the board, and disseminated throughout the entity. Disseminating risk appetite is important, as the goal is for all decision-makers to understand the risk appetite they must operate within, especially those who perform tasks to achieve busines… (Articulating Risk Appetite ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Emerging risks arise when business context changes, and they may alter the entity's risk profile in the future. Note that emerging risks may not be understood well enough to identify and initially assess accurately, and may warrant re-identification more frequently. Additionally, organizations shoul… (Identifying Risk ¶ 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • A variety of approaches are available to determine risk appetite, including facilitating discussions, reviewing past and current performance targets, and modeling. In determining risk appetite, organizations may consider stakeholders as noted in the discussion on business context. It is up to manage… (Determining Risk Appetite ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • It is management's responsibility to cultivate open communication and transparency about risk and the risk-taking expectations. Management demonstrates that risk is not a discussion to be left for the boardroom. It does that by sending clear and consistent messages to employees that managing risk is… (Keeping Communication Open and Free from Retribution ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Board and management continually discuss risk appetite. As part of its oversight role, the board ensures that communications regarding risk appetite remain open. It may do this by holding formal quarterly board meetings, and by calling extraordinary meetings to address specific events, such as cyber… (Communicating with the Board ¶ 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of senior management in a timely manner, so that they can address and respond to emerging cyber risk. (ID.RA-6.1, CRI Profile, v1.2)
  • The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of senior management in a timely manner, so that they can address and respond to emerging cyber risk. (ID.RA-6.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The system description, when addressing privacy controls, must contain a statement on how the privacy notice is communicated to individuals, in order to meet the criteria for being fairly presented, if user entities provide the privacy notice to the individuals. (¶ 1.35.e, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should determine whether deviations from intentional acts, noncompliance with laws and regulations, and other adverse events that are not detected or protected by a control should be communicated to affected user entities and if the communication has already occurred. (¶ 3.85, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • In addition to the communication responsibilities in section 205, if the service auditor becomes aware of the matters identified in paragraph .34, the service auditor should determine whether this information has been communicated appropriately to affected user entities. If the information has not b… (AT-Section 320.45, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. (CC2.3 Communicates to External Parties, Trust Services Criteria)
  • Processes are in place to communicate relevant and timely information to external parties, including shareholders, partners, owners, regulators, customers, financial analysts, and other external parties. (CC2.3 ¶ 3 Bullet 1 Communicates to External Parties, Trust Services Criteria, (includes March 2020 updates))
  • Principle: Firms should establish and implement a cybersecurity governance framework that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks. The framework should include defined risk management policies, processes and structures coupl… (Governance and Risk Management for Cybersecurity, Report on Cybersecurity Practices)
  • Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. (AT.2.056, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. (AT.2.056, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. (AT.2.056, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Ensure that managers, system administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems. (AT.2.056, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Communication of BIA results throughout the entity. (III.A Action Summary ¶ 2 Bullet 5, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Roles, responsibilities, procedures, and reporting mechanisms for risk management in AIO activities. (App A Objective 2:8b Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Ensuring board members have appropriate knowledge of risks to provide a credible challenge to management. (App A Objective 2:3c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management understands and communicates the risks of shadow IT to entity personnel. Additionally, determine whether internal audit evaluates management's processes to monitor, identify, and remove unapproved devices, software, or services. Assess whether management performs the fol… (App A Objective 4:5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management is aware of and mitigates operational risks associated with IT operations, including the following: (App A Objective 12:12, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk. (Layered Security Programs ¶ 2 Bullet 9, Supplement to Authentication in an Internet Banking Environment)
  • The organization determines what information about the information system is discoverable by adversaries and subsequently takes [FedRAMP Assignment: notify appropriate service provider personnel and follow procedures for organization and service provider-defined corrective actions]. (RA-5(4) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Organizational teams are committed to a culture that considers and communicates AI risk. (GOVERN 4, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Risk treatments, including response and recovery, and communication plans for the identified and measured AI risks are documented and monitored regularly. (MANAGE 4, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Enterprises are continuously exposed to risk originating from their supply chains. An effective information-sharing process helps to ensure that enterprises can gain access to information that is critical to understanding and mitigating cybersecurity risks throughout the supply chain and also share … (3.2. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Identify the continuous monitoring stakeholders and establish a process to keep them informed about the program. (T0981, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Data processing by systems, products, or services is understood and informs the management of privacy risk. (Inventory and Mapping (ID.IM-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The policies, processes, and procedures to manage and monitor the organization's regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk. (Governance Policies, Processes, and Procedures (GV.PO-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The policies, processes, and procedures for ongoing review of the organization's privacy posture are understood and inform the management of privacy risk. (Monitoring and Review (GV.MT-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must share the vulnerability information from the vulnerability scan with other personnel in the organization to help eliminate the same vulnerability in other smart grid Information Systems. (SG.RA-6 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Identify the continuous monitoring stakeholders and establish a process to keep them informed about the program. (T0981, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization's priorities, constraints, risk tolerance and appetite statements, and assumptions are established, communicated, and used to support operational risk decisions (Risk Management Strategy (GV.RM), Framework for Improving Critical Infrastructure Cybersecurity, v2.0)
  • Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties (GV.RM-05, Framework for Improving Critical Infrastructure Cybersecurity, v2.0)
  • A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated (GV.RM-06, Framework for Improving Critical Infrastructure Cybersecurity, v2.0)
  • Public reporting on the risk will not negatively impact services provided to the public, national security, or agency operations. (Section II (B4) ¶ 3 Bullet 4, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • make provisions for alerting the appropriate level of management to new or emerging risks, as well as changes in already identified risks, so that the change can be appropriately addressed. (Section II (C) ¶ 1 Bullet 3, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)