Back

Establish, implement, and maintain communication protocols.


CONTROL ID
12245
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a reporting methodology program., CC ID: 02072

This Control has the following implementation support Control(s):
  • Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol., CC ID: 12419
  • Include external requirements in the organization's communication protocol., CC ID: 12418
  • Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols., CC ID: 12824
  • Include input from interested personnel and affected parties as a part of the organization’s communication protocol., CC ID: 12417
  • Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement., CC ID: 15677
  • Identify barriers to stakeholder engagement., CC ID: 15676
  • Identify alternative measures for collecting stakeholder input, as necessary., CC ID: 15672
  • Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols., CC ID: 12804
  • Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol., CC ID: 12856
  • Include disseminating and communicating desirable conduct in the communication protocols., CC ID: 12803
  • Include disseminating and communicating undesirable conduct in communication protocols., CC ID: 12802
  • Route notifications, as necessary., CC ID: 12832
  • Substantiate notifications, as necessary., CC ID: 12831
  • Analyze the flow of information to ensure it is being received by the correct processes., CC ID: 12860
  • Prioritize notifications, as necessary., CC ID: 12830
  • Report to management and stakeholders on the findings and information gathered from all types of inquiries., CC ID: 12797
  • Disseminate and communicate internal controls with supply chain members., CC ID: 12416
  • Establish and maintain the organization's survey method., CC ID: 12869
  • Establish, implement, and maintain warning procedures that follow the organization's communication protocol., CC ID: 12407
  • Establish, implement, and maintain alert procedures that follow the organization's communication protocol., CC ID: 12406


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A licensed or registered person should notify clients (eg, via email, short message service (SMS) or other push notifications) promptly after certain client activities have taken place in their internet trading accounts. These activities should at least include: (1.3. ¶ 1, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • It is necessary to establish communication networks considering multiple communication means. (P70.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The emergency call systems intended to inform the business room, control center, and other related divisions of any emergency situation having occurred in the ATM room of branch offices should be installed in a conspicuous place for the customers near the automatic device and identified with a sign … (F112.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Authenticity: In computing, e-business and information security it is necessary to ensure that the data, transactions, communications or documents (electronic or physical) are genuine. It is also important for authenticity to validate that both parties involved are who they claim they are. (Basic Principles of Information Security ¶ 1 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A bank needs to have clear accountability and communication strategies to limit the impact of information security incidents through defined mechanisms for escalation and reporting to the Board and senior management and customer communication, where appropriate. Incident management strategies would … (Critical components of information security 10) (iv), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Where the board delegates its responsibility to a committee as described in paragraph 5.2.2, the board should establish communication procedures between the board and the committee. This should include requiring the committee to report to the board on a regular basis, and ensuring that senior manage… (5.2.4, Guidelines on Outsourcing)
  • Consequently, a follow-up process to track and monitor IT audit issues, as well as an escalation process to notify the relevant IT and business management of key IT audit issues, should be established. (§ 14.1.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • A communications plan that covers the process and procedures to apprise customers of impact on services, and to handle media or public queries should be maintained. The plan should also include identifying the spokespersons and subject matter experts to address the media or public queries as well as… (§ 7.7.6, Technology Risk Management Guidelines, January 2021)
  • Use a fax cover sheet for documents being faxed, stating the recipient and sender details, the security classification and the number of pages in the document. (Annex A2: Security for Printers, Copiers, Scanners and Fax Machines (MFPs) 23, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • contribute to events, forums, workshops and general correspondence, and (IRAP Membership Maintaining IRAP assessor membership IRAP community ¶ 1 Bullet 2, IRAP Policies and Procedures Australian Signals Directorate Information Security Registered Assessors Program, 11/2020)
  • The Board, governing bodies and individuals would typically define their information requirements (e.g. schedule, format, scope and content) to ensure they are provided with sufficient and timely information to effectively discharge their information security roles and responsibilities. Reporting to… (13., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • An APRA-regulated entity would typically have clear accountability and communication strategies to limit the impact of information security incidents. Under CPS 234, this includes escalation and reporting of information security incidents to the Board, other governing bodies and individuals responsi… (71., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A regulated institution would normally have clear accountability and communication strategies to limit the impact of IT security incidents. This would typically include defined mechanisms for escalation and reporting to the Board and senior management and customer communication where appropriate (re… (¶ 72, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • effective internal communication plans, including incident notification and escalation procedures — also covering security-related customer complaints — to ensure that: (3.5.1 60(d), Final Report EBA Guidelines on ICT and security risk management)
  • the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, as well as for the implementation of security measures, between account servicing payment service providers, payment initiation service providers, … (Art 98(1)(d), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
  • CSIRTs shall ensure a high level of availability of their communications services by avoiding single points of failure, and shall have several means for being contacted and for contacting others at all times. Furthermore, the communication channels shall be clearly specified and well known to the co… (ANNEX I ¶ 1(1)(a), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Inadequate communication and a lack of information may lead to security issues, but also to incorrect decisions or unnecessary working steps. This must be avoided by personnel safeguards and organisational regulations. Employees must be informed about the purpose of security safeguards, particularly… (§ 4.2 Bullet 2 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Procedures are defined and documented to communicate the information received to the internal and external employees of the cloud provider and to be able to respond to it appropriately and in a timely manner. (Section 5.1 OIS-05 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Provide multiple pathways to report progress toward objectives, and the actual or potential occurrence of undesirable and desirable conduct, conditions, and events. (OCEG GRC Capability Model, v. 3.0, P6 Notification, OCEG GRC Capability Model, v 3.0)
  • Define how the organization will manage related communications that are not formal reports. (OCEG GRC Capability Model, v. 3.0, P3.3 Develop Communication Plan, OCEG GRC Capability Model, v 3.0)
  • Develop stakeholder relation plans for each key stakeholder constituency. (OCEG GRC Capability Model, v. 3.0, L4.3 Develop Stakeholder Relations Plans, OCEG GRC Capability Model, v 3.0)
  • The CSP must have in place, and describe to CSCs the procedure to manage and respond to requests for disclosure of Personal Data by Law Enforcement Authorities according to applicable laws and regulations. The CSP must give special attention to the notification procedure to interested CSCs, unless o… (DSP-18, Cloud Controls Matrix, v4.0)
  • take into account its compliance obligations; (§ 7.4.1 ¶ 2 Bullet 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • on what it will communicate; (§ 7.4.1 ¶ 1 a), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • when to communicate; (§ 7.4.1 ¶ 1 b), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • with whom to communicate; (§ 7.4.1 ¶ 1 c), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • how to communicate. (§ 7.4.1 ¶ 1 d), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall respond to relevant communications on its environmental management system. (§ 7.4.1 ¶ 3, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • Communication is about providing information relevant to an organization's EMS, including environmental commitments, actions and performance, as well as feedback on the adequacy, efficiency and effectiveness of system elements and processes. Internal communication facilitates the coordination of act… (§ 5.7 ¶ 5, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • identify communication needs. (§ 6.6 ¶ 1 Bullet 8, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • the establishment of external and internal communication processes, as appropriate; (§ 5.4.1 ¶ 1(d) Bullet 4, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • During the audit, the audit team leader should periodically communicate the progress, any significant findings and any concerns to the auditee and audit client, as appropriate. Evidence collected during the audit that suggests an immediate and significant risk should be reported without delay to the… (§ 6.4.4 ¶ 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • The organization should determine the need for internal and external communications relevant to the compliance management system, including: (§ 7.4.1 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should adopt appropriate methods of communication to ensure that the compliance message is heard and understood by all employees on an on-going basis. The communication should clearly set out the organization's expectation of employees and those noncompliances that are expected to b… (§ 7.4.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • establish an appropriate internal and external communications protocol, (§ 8.4.1 ¶ 3 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall establish, implement, and maintain procedure(s) for - internal communication amongst interested parties and employees within the organization, - external communication with customers, partner entities, local community, and other interested parties, including the media, - recei… (§ 7.4 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • internal communication within the organization and receiving, documenting and responding to communication from interested parties, (§ 8.4.3 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • when to communicate; (§ 7.4 ¶ 1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall determine the internal and external communications relevant to the BCMS, including: (§ 7.4 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • how to communicate; (§ 7.4 ¶ 1 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The warning and communication procedures shall be exercised as part of the organization's exercise programme described in 8.5. (§ 8.4.3.2 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • providing details of the organization's media response following an incident, including a communications strategy; (§ 8.4.3.1 e), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • receiving, documenting and responding to communications from interested parties, including any national or regional risk advisory system or equivalent; (§ 8.4.3.1 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • communicating internally and externally to relevant interested parties, including what, when, with whom and how to communicate; (§ 8.4.3.1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall determine the need for internal and external communications relevant to the information security management system including: (§ 7.4 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • on what to communicate; (§ 7.4 ¶ 1 a), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • when to communicate; (§ 7.4 ¶ 1 b), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • with whom to communicate; (§ 7.4 ¶ 1 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • who shall communicate; and (§ 7.4 ¶ 1 d), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • an open and transparent communication culture within the organization is created and maintained to help bridge the gap between diverse stakeholder groups and varying perspectives based on, for example, gender, age, belief systems or cognitive abilities; (§ 6.6.3 ¶ 3 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustaine… (§ 6.11.3.2 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • whistleblowing processes and personnel and customer feedback mechanisms, both formal and informal (see NOTE 3). (§ 6.4.3.3 ¶ 2 Bullet 5, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization shall determine the internal and external communications relevant to the compliance management system, including: (§ 7.4 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • when to communicate; (§ 7.4 ¶ 1 b), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • how to communicate. (§ 7.4 ¶ 1 d), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • respond to relevant communications on its compliance management system; (§ 7.4 ¶ 2 bullet 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall respond to relevant communications on its OH&S management system. (§ 7.4.1 ¶ 5, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • on what it will communicate; (§ 7.4.1 ¶ 1 a), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • with whom to communicate: (§ 7.4.1 ¶ 1 c), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • internally among the various levels and functions of the organization; (§ 7.4.1 ¶ 1 c) 1), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • how to communicate. (§ 7.4.1 ¶ 1 d), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • among other interested parties; (§ 7.4.1 ¶ 1 c) 3), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall externally communicate information relevant to the OH&S management system, as established by the organization's communication process(es) and taking into account its legal requirements and other requirements. (§ 7.4.3 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall establish, implement and maintain the process(es) needed for the internal and external communications relevant to the OH&S management system, including determining: (§ 7.4.1 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • when to communicate; (§ 7.4.1 ¶ 1 b), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • ensure that OH&S information to be communicated is consistent with information generated within the OH&S management system, and is reliable. (§ 7.4.1 ¶ 4 Bullet 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • internally communicate information relevant to the OH&S management system among the various levels and functions of the organization, including changes to the OH&S management system, as appropriate; (§ 7.4.2 ¶ 1 a), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • relevant communication(s) with interested parties; (§ 9.3 ¶ 2 f), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • when the results from monitoring and measurement shall be analysed, evaluated and communicated. (§ 9.1.1 ¶ 2 e), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall communicate this documented information to relevant workers, and, where they exist, workers' representatives, and other relevant interested parties. (§ 10.2 ¶ 5, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • communicating relevant information to contractors, visitors, emergency response services, government authorities and, as appropriate, the local community; (§ 8.2 ¶ 1 f), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • with whom to communicate; (7.4 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • how to communicate; (7.4 ¶ 1(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • who communicates. (7.4 ¶ 1(e), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the need to control interfaces between persons involved in the design and development process; (8.3.2 ¶ 1(f), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall determine the internal and external communications relevant to the compliance management system, including: (§ 7.4 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • when to communicate; (§ 7.4 ¶ 1 b), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall respond to relevant communications on its compliance management system. (§ 7.4 ¶ 5, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • how to communicate. (§ 7.4 ¶ 1 d), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall determine the need for internal and external communications relevant to IT assets, IT asset management and the IT asset management system including: (Section 7.4 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • on what it will communicate; (Section 7.4 ¶ 1 bullet 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • when to communicate; (Section 7.4 ¶ 1 bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • with whom to communicate; and (Section 7.4 ¶ 1 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • how to communicate. (Section 7.4 ¶ 1 bullet 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall determine the internal and external communications relevant to the SMS and the services including: (§ 7.4 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • when to communicate; (§ 7.4 ¶ 1(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • with whom to communicate; (§ 7.4 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall establish arrangements for communicating with its customers and other interested parties. The communication shall promote understanding of the evolving business environment in which the services operate and shall enable the organization to respond to new or changed service req… (§ 8.3.2 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • how to communicate; (§ 7.4 ¶ 1(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • on what it will communicate; (§ 7.4 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • who will be responsible for the communication. (§ 7.4 ¶ 1(e), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • when to communicate; (§ 7.4 ¶ 1 b), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • how to communicate. (§ 7.4 ¶ 1 d), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Communication relies on processes, channels and protocols. These should be chosen to ensure the communicated message is integrally received, correctly understood and, when relevant, acted upon appropriately. (§ 7.4 Guidance ¶ 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Communication should be classified and handled according to the organization's requirements. (§ 7.4 Guidance ¶ 4, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • requests or other communications from external parties such as customers, potential customers, users of services and authorities. (§ 7.4 Guidance ¶ 2(j), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • the triggers or frequency of communication (e.g. for communication of an event, the trigger is the identification of the event); (§ 7.4 Guidance ¶ 3(l), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • the communication means and channels. Communication should use dedicated means and channels, to make sure that the message is official and bears the appropriate authority. Communication channels should address any needs for the protection of the confidentiality and integrity of the information trans… (§ 7.4 Guidance ¶ 3(o), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Organizations should determine which content needs to be communicated, such as: (§ 7.4 Guidance ¶ 2, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • It is important that the board understands the complexity of the entity and how integrating enterprise risk management capabilities and practices will enhance value. The board engages in conversations with management to determine whether enterprise risk management is suitably designed to enhance val… (Suitability of Enterprise Risk Management ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Information is shared and escalated to the relevant level within the entity. Transparency of information may relate to: (Keeping Communication Open and Free from Retribution ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • For information to be received as intended, it must be communicated clearly. To be sure communication methods are working, organizations should periodically evaluate them. This can be done through existing processes such as stating expectations for enterprise risk management in employee performance … (Methods of Communicating ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • In addition to the list above, separate lines of communication are needed when normal channels are inoperative or insufficient for communicating matters requiring heightened attention. Many organizations provide a means to communicate anonymously to the board of directors or a board delegate - such … (Methods of Communicating ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • the nature, timing, and extent of communication between the service auditor and the specialist, including the form of any report or documentation to be provided by the specialist; and (¶ 2.160(c)(iii), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When service organization management elects to use the inclusive method, subservice organization management is also a responsible party in the SOC 2® examination. Accordingly, subservice organization management has to comply with the requirements of AT-C sections 105 and 205 that relate to the resp… (¶ 2.96, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Trust services criterion CC2.3 states The entity communicates with external parties regarding matters affecting the functioning of internal control, which would include communication of user responsibilities. However, because user responsibilities are often voluminous, they are often communicated th… (¶ 3.38, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Establishing communication and resolution protocols for service or product issues related to vendors and business partners (¶ 3.150 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Other aspects of the service organization's control environment, risk assessment process, information and communications (including the related business processes), control activities, and monitoring activities that are relevant to the services provided. (AT-C Section 320.15 a.viii., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • the nature, timing, and extent of communication between the practitioner and that specialist, including the form of any report or documentation to be provided by that specialist; and (AT-C Section 205.36 c.iii., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners. (CC9.2 Establishes Communication Protocols for Vendors and Business Partners, Trust Services Criteria)
  • The entity establishes communication and resolution protocols for service or product issues related to vendors and business partners. (CC9.2 ¶ 2 Bullet 4 Establishes Communication Protocols for Vendors and Business Partners, Trust Services Criteria, (includes March 2020 updates))
  • Ensure internal DoD communications are established between all entities which include the Mission Owner and organizations performing MCD and BCD Actions. (Section 6.3 ¶ 1 Bullet 3, sub-bullet 7, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Both edge protocol methods specified by the standard in §170.202(d). (§ 170.315 (h) (2) (i) (C), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Communication processes with business line management. (VI.C Action Summary ¶ 2 Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Communications. (App A Objective 2:1g, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. (RA-5(11) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. (RA-5(11) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. (RA-5(11) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • C-SCRM requires accountability, commitment, oversight, direct involvement, and ongoing support from senior leaders and executives. Enterprises should ensure that C-SCRM roles and responsibilities are defined for senior leaders who participate in supply chain activities (e.g., acquisition and procure… (2.3.2. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • To successfully address evolving cybersecurity risks throughout the supply chain, enterprises need to engage multiple internal processes and capabilities, communicate and collaborate across enterprise levels and mission areas, and ensure that all individuals within the enterprise understand their ro… (3. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Establish and maintain communication channels with stakeholders. (T0094, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collaborate with development organizations to create and deploy the tools needed to achieve objectives. (T0598, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Serve as a liaison with external partners. (T0818, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide operations and reengagement recommendations. (T0794, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify target communications within the global network. (T0846, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks. (COMMUNICATE-P (CM-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Establish and maintain communication channels with stakeholders. (T0094, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Serve as a liaison with external partners. (T0818, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Collaborate with development organizations to create and deploy the tools needed to achieve objectives. (T0598, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide operations and reengagement recommendations. (T0794, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish a public reporting channel for receiving reports of vulnerabilities in organizational systems and system components. (RA-5(11) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)