Back

Include the Information Governance Plan in the Strategic Information Technology Plan.


CONTROL ID
10053
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Strategic Information Technology Plan., CC ID: 00628

This Control has the following implementation support Control(s):
  • Engage information governance subject matter experts in the development of the Information Governance Plan., CC ID: 10055
  • Include the transparency goals in the Information Governance Plan., CC ID: 10056
  • Include the information integrity goals in the Information Governance Plan., CC ID: 10057


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is important to consider the organisational necessity and benefits of information security governance. They include increased predictability and the reduction of uncertainty in business operations, a level of assurance that critical decisions are not based on faulty information, enabling efficien… (Information Security Governance ¶ 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • allocation to IT of the generally established standards by which the institution abides; (II.1.2(b), Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The entity has a process for identifying, locating and classifying its PI. This process is clearly described as an essential aspect of its data governance program which is aligned with its information security controls. Relevant control activity policies and procedures have been designed and placed … (M1.4, Privacy Management Framework, Updated March 1, 2020)
  • An information governance program shall be constructed to ensure an appropriate level of protection to information assets that are private, confidential, privileged, secret, classified, essential to business continuity, or that otherwise require protection. (Principle of Protection:, Generally Accepted Recordkeeping Principles®, For the Web)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for an information governance program, which is sponsored by the leadership of the organization. Review and update the policies and procedures at least annually. (GRC-01, Cloud Controls Matrix, v4.0)
  • acknowledge the complexities and growing importance of data and establish governance policies and direction that aligns with the organization's needs and the degree of change required; (§ 6.8.3.3 ¶ 1 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensure that the information requirements of the organization are sufficiently supported by its current and future technology capabilities; (§ 6.8.3.3 ¶ 1 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • AI systems can be used to automate, optimize and enhance data handling. (§ 5.4.1 Table 3 Column 2 Row 8 Bullet 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • Definition of a data strategy, evaluation of data and its usage (including the consideration of data planning and the analytics platform), and development of metrics for monitoring data activities. (App A Objective 2:9b Bullet 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • data governance and classification; (§ 500.03 Cybersecurity Policy (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)