Back

Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis.


CONTROL ID
12330
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Steps taken for non-recurrence of such events in the future (Critical components of information security 22) iii. Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Under CPS 234, an APRA-regulated entity must annually review and test its information security response plans to ensure they remain effective and fit-for-purpose. It is important that the success criteria for such tests are clearly defined, including the circumstances under which re-testing would be… (74., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • It is important that success criteria for tests are clearly defined, including the circumstances under which re-testing would be required. Test results would be reported to the appropriate governing body or individual, with associated follow-up actions formally tracked and reported. (81., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • It is important that the success criteria for the testing of resilience and recovery are clearly defined, including the circumstances under which re-testing would be required. Test results and associated follow-up actions are typically formally tracked and reported. (Attachment B ¶ 10, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • ICT audit findings, including agreed actions, are followed up and progress reports periodically reviewed by the senior management and/or the audit committee. (Title 3 3.3.3 51.d, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate. (§ 3 Principle 17 Points of Focus: Communicates Deficiencies, COSO Internal Control - Integrated Framework (2013))
  • The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of… (§ 9.2 ¶ 4, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate. (CC4.2 Communicates Deficiencies, Trust Services Criteria)
  • Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate. (CC4.2 ¶ 2 Bullet 2 Communicates Deficiencies, Trust Services Criteria, (includes March 2020 updates))
  • Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action … (CIP-010-2 Table R3 Part 3.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action … (CIP-010-3 Table R3 Part 3.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • The institution prepares an annual report of security incidents or violations for the board or an appropriate board committee. (Domain 5: Assessment Factor: Escalation and Reporting, ESCALATION AND REPORTING Baseline 1 ¶ 3, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Reporting on the progress of the action plans to senior management. (App A Objective 16:4b Bullet 11, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Operational support personnel report errors or problems with the systems or software and provide updates on resolution. (App A Objective 16:2b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Results of security operations activities and summaries of assurance reports. (App A Objective 2.4.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether IT management participates in the enterprise-wide risk management process to identify and measure risk from the use of IT, support decisions on how to mitigate the risks, implement the mitigation decisions, and monitor and report on the resulting outcomes. (App A Objective 8:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether management takes appropriate and timely action on IT audit findings and recommendations and whether audit or management reports the action to the board of directors or its audit committee. Also, determine if IT audit reviews or tests management's statements regarding the resolution… (TIER I OBJECTIVES AND PROCEDURES Objective 6:1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Report to the Board. Each credit union should report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the credit union's compliance with these guidelines. The report should discuss material… (§ 748 Appendix A. III.F., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Advise appropriate senior leadership or Authorizing Official of changes affecting the organization's cybersecurity posture. (T0005, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Policies, processes, and procedures for communicating progress on managing privacy risks are established and in place. (GV.MT-P4, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Advise appropriate senior leadership or Authorizing Official of changes affecting the organization's cybersecurity posture. (T0005, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Report to the Board. Each national bank or Federal savings association shall report to its board or an appropriate committee of the board at least annually. This report should describe the overall status of the information security program and the national bank's or Federal savings association's com… (§ III. F., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)