Back

Establish, implement, and maintain an internal reporting program.


CONTROL ID
12409
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a reporting methodology program., CC ID: 02072

This Control has the following implementation support Control(s):
  • Include transactions and events as a part of internal reporting., CC ID: 12413
  • Disseminate and communicate management's choices for managing the organization as a part of internal reporting., CC ID: 12412
  • Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria., CC ID: 12399
  • Define the thresholds for escalation in the internal reporting program., CC ID: 14332
  • Define the thresholds for reporting in the internal reporting program., CC ID: 14331


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Given the importance of business continuity planning, the Chief Executive of AIs should prepare and sign-off a formal annual statement submitted to the Board on whether the recovery strategies adopted are still valid and whether the documented BCPs are properly tested and maintained. The annual stat… (2.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The security function should have updated status regarding numbers of unmitigated, critical vulnerabilities, for each department/division, plan for mitigation and should share vulnerability reports indicating critical issues with senior management to provide effective incentives for mitigation. (Critical components of information security 16) ii.e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An institution should notify MAS as soon as possible of any adverse development arising from its outsourcing arrangements that could impact the institution. Such adverse developments include any event that could potentially lead to prolonged service failure or disruption in the outsourcing arrangeme… (4.2.1, Guidelines on Outsourcing)
  • Where the board delegates its responsibility to a committee as described in paragraph 5.2.2, the board should establish communication procedures between the board and the committee. This should include requiring the committee to report to the board on a regular basis, and ensuring that senior manage… (5.2.4, Guidelines on Outsourcing)
  • roles and responsibilities — clearly outline for management how the Board expects to be engaged, including delegation of responsibilities, escalation of risks, issues and reporting requirements (including schedule, format, scope and content). Refer to Attachment H for common examples of the types … (8(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • information security reporting and analytics; (16(f)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A regulated institution would typically develop a formalised IT security reporting framework that provides operational information and oversight across the various dimensions of the IT security risk management framework. The framework would incorporate clearly defined reporting and escalation thresh… (¶ 76, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Data reporting service providers shall, in addition, have in place systems that can effectively check trade reports for completeness, identify omissions and obvious errors, and request re-transmission of those reports (Art. 10.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • As part of the ICT risk management framework, financial entities shall implement communication policies for internal staff and for external stakeholders. Communication policies for staff shall take into account the need to differentiate between staff involved in ICT risk management, in particular th… (Art. 14.2., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The management reports must contain all the information regarding the management of the security process that is necessary for the management level. Such information includes, for example: (§ 8.3 Subsection 5 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The interfaces between the two roles should be clearly defined and documented. In addition, direct reporting paths to the management level should be available on all sides. There should also be consideration as to whether conflicting issues should also be notified to the auditing department. (§ 4.4 Subsection 5 ¶ 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The processing and sharing of information in business and service processes is supported by data-processing IT systems and related IT processes. The scope and quality thereof shall be based, in particular, on the institution's internal operating needs, business activities and risk situation (see AT … (II.3.8, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Reports of unscheduled deviations from standard operations (disruptions) and their causes shall, in a suitable way, be recorded, evaluated, prioritised with particular regard to potentially resulting risks, and escalated according to defined criteria. The processing, analysis of causes, and identifi… (II.7.50, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • A firm's senior management are responsible for ensuring that the firm conducts its business with integrity and tackles the risk that the firm, or anyone acting on its behalf, engages in bribery and corruption. A firm's senior management should therefore be kept up-to-date with, and stay fully abreas… (6.2.1 ¶ 1, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • Monitoring staff skills, tools and roles, including any that are out sourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential functions they need to protect. (C1.e ¶ 1, NCSC CAF guidance, 3.1)
  • Establish a plan to provide desired reports to management, the governing authority, and stakeholders, while ensuring compliance with mandatory reporting and filing requirements. (OCEG GRC Capability Model, v. 3.0, P3.1 Develop Reporting Plan, OCEG GRC Capability Model, v 3.0)
  • An organization should choose a format, content and timing of its internal compliance reporting that is appropriate to its circumstances, unless otherwise specified by law. (§ 9.1.7 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • A clear and timely escalation process should be adopted and communicated to ensure that all noncompliances are raised, reported and eventually escalated to relevant management, and that the compliance function is informed and able to support the escalation. Where appropriate, escalation should be to… (§ 10.1.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • require those to whom they have delegated to provide timely and accurate reports on all material aspects of the management of the organization; (§ 6.4.3.1 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); (§ 6.4.3.2 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; (§ 6.8.3.2.1 ¶ 1 f), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • timelines for regular reporting are established; (§ 9.1.4 ¶ 1 b), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall establish, implement and maintain processes for compliance reporting to ensure that: (§ 9.1.4 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • timelines for regular reporting are established; (§ 9.1.4 ¶ 1 b), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the IT asset management performance, including financial and non-financial performance; and (Section 9.1 ¶ 3 bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the effectiveness of the IT asset management system. (Section 9.1 ¶ 3 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the stakeholder requirements for recording financial and non-financial information relevant to IT asset management, and for reporting on it both internally and externally. (Section 4.2 ¶ 1 bullet 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall determine reporting requirements and their purpose. (§ 9.4 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • is properly informed and trained, including knowing how and with whom to raise any concern; (§ 6.2 ¶ 3 Bullet 4 Sub-bullet 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • The frequency of reporting should be commensurate with the severity and priority of the risk. Reporting should enable management to determine the types and amount of risk assumed by the organization, its ongoing appropriateness, and the suitability of existing risk responses. For example, changes in… (Reporting Frequency and Quality ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management works closely with those who will use reports to identify what information is required, how often they need the reports, and their preferences in how reports are presented. Management is responsible for implementing appropriate controls so that reporting is accurate, clear, and complete. (Reporting Frequency and Quality ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Often the service organization's system of internal control includes monitoring activities and system reports for management that permit management to continuously or periodically monitor the operating effectiveness of controls. Management may also make use of internal audit evaluations as part of i… (¶ 2.119, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • the types and frequency of communications made to executive management and others about the security, availability, and processing integrity of the system and the confidentiality or privacy of the information it uses (¶ 3.59 Bullet 7 Sub-Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If executive management delegates any of its responsibilities under Section 4 of this Act, it shall oversee the development, implementation and maintenance of the Licensee's Information Security Program prepared by the delegate(s) and shall receive a report from the delegate(s) complying with the re… (Section 4.E ¶ 1(3), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Documentation of the data types maintained, data owners and users, and purposes of reports. (App A Objective 3:9f Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Inclusion of processes for obtaining approvals, making changes to the plan, and reporting, as appropriate. (App A Objective 12:3c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Placement and selection of storage, design of network topology, availability of bandwidth, and need for management reporting systems, as well as implementation of monitoring tools. (App A Objective 12:5d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should have appropriate ITAM processes to track, manage, and report on the entity's information and technology assets. (III.B Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management implements appropriate ITAM processes to track, manage, report on the entity's information and technology assets. (III.B, "IT Asset Management") (App A Objective 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine the effectiveness and comprehensiveness of board and senior management reporting related to AIO. Evaluate whether the following activities are performed: (App A Objective 2:13, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the reporting structure ensures that the CISO has the appropriate authority to carry out its responsibilities and that there are no conflicts of interest in the ability of the CISO to make decisions in line with the risk appetite. (App A Objective 2:12, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Activity reporting, monitoring, and reconcilement are conducted daily, or more frequently based upon activity; (TIER II OBJECTIVES AND PROCEDURES E.1. Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)
  • Review management reports for all retail payment services including reports from service providers. (App A Tier 1 Objectives and Procedures Objective 5:1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Information to meet the needs of the various levels of management. (AppE.7 Objective 6:2 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Management should internally communicate the necessary quality information to achieve the entity’s objectives. (14.01, Standards for Internal Control in the Federal Government)
  • Reporting at Level 3 should focus on the C-SCRM's implementation, efficiency, effectiveness, and the overall level of exposure to cybersecurity risks in the supply chain for the particular system. System-level reporting should provide system owners with tactical-level insights that enable them to ma… (2.3.4. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • To successfully address evolving cybersecurity risks throughout the supply chain, enterprises need to engage multiple internal processes and capabilities, communicate and collaborate across enterprise levels and mission areas, and ensure that all individuals within the enterprise understand their ro… (3. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Reporting plays an important role in equipping Level 1 decision-makers with the context necessary to make informed decisions on how to manage cybersecurity risks throughout the supply chain. Reporting should focus on enterprise-wide trends and include coverage of the extent to which C-SCRM has been … (2.3.2. ¶ 11, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Provide daily summary reports of network events and activity relevant to cyber defense practices. (T0198, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the information security program of the licensee prepared by the delegate and shall receive a report from the delegate complying with the requirement… (Section 27-62-4(e)(3), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • If a licensee's executive management delegates any of its responsibilities under subparagraph (A) or (B) of this subdivision, it shall oversee the development, implementation and maintenance of the licensee's information security program prepared by the delegate or delegates, and shall receive a rep… (Part VI(c)(5)(C), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • The delegate shall submit to executive management a report that complies with the requirements of the report to the board of directors under paragraph (e)(2) of this section. (§ 8604.(e)(3) b., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • If executive management delegates any of its responsibilities under this part, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate and shall receive a report from the delegate complying with the requirements of the… (§431:3B-204(3), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • If a licensee’s executive management delegates any of its responsibilities under this section the executive management shall oversee the delegate’s development, implementation, and maintenance of the licensee’s information security program, and shall require the delegate to submit an annual wr… (507F.4 5.b., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • If executive management delegates any of the responsibilities provided for in this Section, management shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and shall receive a report from the delegates complying with … (§2504.E.(3), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • If a licensee's executive management delegates any of its responsibilities under this section, the licensee's executive management shall oversee each delegate's efforts with respect to the development, implementation and maintenance of the licensee's information security program and shall require ea… (§2264 5. ¶ 1, Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by a delegate and shall receive a report from the delegate complying with the requirements of th… (Sec. 555.(5)(b)(iii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • if executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate and shall receive a report from the delegate complying with the requirements of … (§ 60A.9851 Subdivision 5(3), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation and maintenance of the licensee’s information security program prepared by the delegate(s) and shall receive a report from the delegate(s) complying with the requireme… (§ 83-5-807 (5)(c), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • If executive management delegates any of its responsibilities under RSA 420-P:4, it shall oversee the development, implementation and maintenance of the licensee's program prepared by the delegates and shall receive a report from the delegates complying with the requirements of the report to the boa… (§ 420-P:4 V.(c), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Report. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity's board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entit… (§ 500.04 Chief Information Security Officer (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • overall effectiveness of the Covered Entity's cybersecurity program; and (§ 500.04 Chief Information Security Officer (b)(4), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Report. The CISO of each covered entity shall report in writing at least annually to the senior governing body on the covered entity's cybersecurity program, including to the extent applicable: (§ 500.4 Cybersecurity Governance (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • overall effectiveness of the covered entity's cybersecurity program; (§ 500.4 Cybersecurity Governance (b)(4), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • The CISO shall timely report to the senior governing body or senior officer(s) on material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity's cybersecurity program. (§ 500.4 Cybersecurity Governance (c), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • If executive management delegates any responsibilities under this section, the executive management delegates shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate and shall receive a report from the delegate complying … (26.1-02.2-03. 5.c., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and shall require the delegates to submit a report that complies with the requi… (Section 3965.02 (E)(3), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • If the executive management of a licensee delegates any of its responsibilities under this chapter, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and receive a report from the delegates which must comply wit… (SECTION 38-99-20. (E)(2), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • If the licensee's executive management delegates any of the executive management's responsibilities under this section, then the executive management must oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and must either… (§ 56-2-1004 (5)(C), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate and shall receive a report from the delegate complying with the requirements of … (§ 38.2-623.D.2., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)