Back

Involve knowledgeable and experienced individuals in the decision-making process.


CONTROL ID
06915
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a decision management strategy., CC ID: 06913

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The independent audit and/or expert assessment on the service provider and its sub-contractors may be performed by the institution's internal or external auditors, the service provider's external auditors or by agents appointed by the institution. The appointed persons should possess the requisite k… (5.9.6, Guidelines on Outsourcing)
  • Relevant domain experts should be engaged to participate in the design review. For example, the security design and architecture of the IT system should be reviewed by IT security specialists or qualified security consultants. (§ 5.6.3, Technology Risk Management Guidelines, January 2021)
  • In practice, the internal security experts frequently do not have enough time to analyse all the influencing factors and framework conditions that are relevant to security (e.g. statutory requirements or technical questions). To some extent, they lack the relevant basic principles. It always makes s… (§ 5 ¶ 3, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Regular checks must be performed to determine whether the security safeguards are appropriate for achieving the security objectives that have been set. Their suitability can be assessed, for instance, by evaluating past security incidents, interviewing employees, or performing penetration tests. Thi… (§ 8.3 Subsection 4 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Participation of the level of management in the brainstorming is not mandatory. However, it is much more important that each participant is capable of providing information on the area represented by such participant, and that such participant is able to name the essential business processes of the … (§ 3.2.1 Subsection 4 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • With regard to using the network plan for the structure analysis, the next step entails comparing the existing network plan (or partial plans, if the overall plan has been divided into smaller sections to make it easier to read) with the actual existing IT structure and if necessary updating it to r… (§ 8.1.4 Subsection 1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In practice, brainstorming involving all employees involved has proven effective in identifying additional threats. Information security officers, specialists responsible, administrators and users of the target object under review as well as external experts, if appropriate, should be involved. The … (§ 4.2 ¶ 10, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Assessing the significance of the impacts involves quantitative and qualitative analysis. How significant an impact is will be specific to the organization and will be influenced by the sectors in which it operates, and its business relationships, among other factors. In some instances, this may nee… (§ 1. Step 3. ¶ 2, GRI 3: Material Topics 2021)
  • The organization shall involve experienced and knowledgeable individuals in the decision-making process. (§ 6.3.3.3(a)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • ensuring there is access to appropriate professional advice in the establishment and implementation and maintaining of the compliance management system; (§ 5.3.4 ¶ 2 k), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The governing body should make decisions of requisite quality and ensure that its decision-making is appropriately informed. The governing body should: (§ 6.8.3.2.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that diverse inputs are provided to a rigorous, open and transparent decision-making process and that the results that can be achieved, options for achieving them and their implications are understood. (§ 6.8.3.2.1 ¶ 1 h), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • reserving some decisions for the governing body (those which materially or fundamentally impact the organization as a whole) and delegating others; (§ 6.3.3.2.2 ¶ 2 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body sets the purpose of the organization and approves the strategies necessary to achieve that purpose. However, it is possible that existing governance is no longer fit-for-purpose when AI is being used within that organization. The specific choice of tools, e.g. AI systems, should b… (§ 4.2 ¶ 1, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Decision-making oversight. The governing body should ensure that there is adequate oversight, that controls are implemented to ensure effective decision-making capabilities and that there is appropriate visibility of both conformity of decision-making to organizational policies and any exceptions. F… (§ 6.3 ¶ 6 Bullet 5, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Level of responsibility. Ensuring that the level of decision-making matches the authority granted and responsibility associated to the decision is a critical element of good governance. Defining the scope and impact of possible decisions and matching those to the levels of responsibility is necessar… (§ 6.3 ¶ 6 Bullet 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Decision-making capability. Decision-makers should be adequately skilled and trained for the decisions for which they are responsible. Controls should be implemented to ensure AI systems are adequate to the task they have been set. See ISO/IEC TR 24028. (§ 6.3 ¶ 6 Bullet 3, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Senior management should be involved in the retention processes and decisions. (Comment 5.c ¶ 2, The Sedona Principles Addressing Electronic Document Production)
  • Employing a participative management style: Management encourages personnel to participate in decision-making and to discuss risks to the strategy and business objectives. (Embracing a Risk-Aware Culture ¶ 1 Bullet 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Its previous experiences with identity theft. (Appendix A-II. (a)(4), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • The experiences of the financial institution or creditor with identity theft; (Appendix A-V. ¶ 1 (a), 17 CFR Part 248 Subpart C, Regulation S-ID - Identity Theft Red Flags)
  • Determine the entities that should have involvement in that decision-making process. (App A Objective 7:4 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the institution has processes within enterprise-wide risk management to assist IT management in making risk mitigation decisions, and determine which entities should be involved in the decision-making process. (App A Objective 12:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Decision-making related to mapping, measuring, and managing AI risks throughout the lifecycle is informed by a diverse team (e.g., diversity of demographics, disciplines, experience, expertise, and backgrounds). (GOVERN 3.1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Facilitate interactions between internal and external partner decision makers to synchronize and integrate courses of action in support of objectives. (T0699, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Legal counsel and the privacy officer should be consulted on all decisions that involve the applicability of a particular law, regulation, or other mandate. (§ 3.2.5 ¶ 2, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Facilitate interactions between internal and external partner decision makers to synchronize and integrate courses of action in support of objectives. (T0699, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)