Back

Report known security issues to the Board of Directors or Senior Executive Committee on a regular basis.


CONTROL ID
12329
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Issues identified from testing, including system defects or software bugs, should be properly tracked and addressed. Major issues that could have an adverse impact on the FI's operations or delivery of service to customers should be reported to the project steering committee and addressed prior to d… (§ 5.7.5, Technology Risk Management Guidelines, January 2021)
  • apprising the board of directors of salient and adverse technology risk developments and incidents that are likely to have a major impact on the FI in a timely manner. (§ 3.1.8(e), Technology Risk Management Guidelines, January 2021)
  • risk monitoring, review and reporting – monitor and review technology risks, which include risks that customers are exposed to, changes in business strategy, IT systems, environmental or operating conditions; and report key risks to the board of directors and senior management. (§ 4.1.4(d), Technology Risk Management Guidelines, January 2021)
  • A risk register should be maintained to facilitate the monitoring and reporting of technology risks. Significant risks should be monitored closely and reported to the board of directors and senior management. The frequency of monitoring and reporting should be commensurate with the level of risk. (§ 4.5.2, Technology Risk Management Guidelines, January 2021)
  • The CISO reports directly to their organisation's senior executive and/or Board on cyber security matters. (Security Control: 0718; Revision: 2, Australian Government Information Security Manual)
  • observe unusual behaviour of devices. (Security Control: 1088; Revision: 4; Bullet 4, Australian Government Information Security Manual)
  • loose devices or media that are later found (Security Control: 1088; Revision: 4; Bullet 3, Australian Government Information Security Manual)
  • have devices or media stolen that are later returned (Security Control: 1088; Revision: 4; Bullet 2, Australian Government Information Security Manual)
  • Personnel report the potential compromise of mobile devices, media or credentials to their organisation as soon as possible, especially if they: (Security Control: 1088; Revision: 4, Australian Government Information Security Manual)
  • provide credentials, decrypt devices or have devices taken out of sight by foreign government officials (Security Control: 1088; Revision: 4; Bullet 1, Australian Government Information Security Manual)
  • periodic security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. These tests should be performed by staff and/or external experts with the necessary expertise, with documented test results and conclusions reported to senior mana… (Title 3 3.3.4(b) 55.h(iv), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The top management is informed of the status of the information security on the basis of security checks by means of regular reports and is responsible for the prompt elimination of determinations resulting from them. (Section 5.15 SPN-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Parameters of the top management for the risk appetite and the risk tolerances of the cloud provider are included in the policy for the risk management or a comparable official document. The timely implementation of the mitigating safeguards is monitored by qualified personnel of the cloud provider.… (Section 5.1 OIS-07 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The information security officer shall report to the management board regularly, at least once a quarter, and on an ad hoc basis on the status of information security. (II.4.22, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Reports of unscheduled deviations from standard operations (disruptions) and their causes shall, in a suitable way, be recorded, evaluated, prioritised with particular regard to potentially resulting risks, and escalated according to defined criteria. The processing, analysis of causes, and identifi… (II.7.50, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. (§ 3 Principle 17 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • Report the authorization decision and any deficiencies in controls that represent significant security or privacy risk. (TASK R-5, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Where the organization's governing authority (e.g., the Board or one of its committees) does not have adequate cybersecurity expertise, they should have direct access to the senior officer responsible for cybersecurity to discuss cybersecurity related matters. (PR.AT-4.2, CRI Profile, v1.2)
  • Where the organization's governing authority (e.g., the Board or one of its committees) does not have adequate cybersecurity expertise, they should have direct access to the senior officer responsible for cybersecurity to discuss cybersecurity related matters. (PR.AT-4.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. (CC4.2 COSO Principle 17:, Trust Services Criteria)
  • The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. (CC4.2 ¶ 1 COSO Principle 17:, Trust Services Criteria, (includes March 2020 updates))
  • Board and senior management reporting. (App A Objective 2:1h, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management reports to the board periodically on the status of AIO initiatives, progress, issues, and metrics. (App A Objective 2:13a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identify and report AIO issues to senior management and the board. (App A Objective 2:11e Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Communication of challenges to the board and senior management. (App A Objective 2:9a Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Filters and reviews logs for potential security events and provides adequate reports and alerts. (App A Objective 6.21.f, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Verification that information and cybersecurity risks are appropriately identified, measured, mitigated, monitored, and reported. (App A Objective 6.31.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Receives reports on IT to remain informed on risk. (App A Objective 2:6 h., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Advise senior management (e.g., Chief Information Officer [CIO]) on risk levels and security posture. (T0003, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Promote awareness of security issues among management and ensure sound security principles are reflected in the organization's vision and goals. (T0248, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters. (T0213, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Promote awareness of security issues among management and ensure sound security principles are reflected in the organization's vision and goals. (T0248, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters. (T0213, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Report to the Board. Each national bank or Federal savings association shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the national bank's or Federal savings association's com… (§ III. F., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)