Back

Establish, implement, and maintain an internal reporting program.


CONTROL ID
12409
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Leadership and high level objectives, CC ID: 00597

This Control has the following implementation support Control(s):
  • Include transactions and events as a part of internal reporting., CC ID: 12413
  • Disseminate and communicate management's choices for managing the organization as a part of internal reporting., CC ID: 12412
  • Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria., CC ID: 12399
  • Define the thresholds for escalation in the internal reporting program., CC ID: 14332
  • Define the thresholds for reporting in the internal reporting program., CC ID: 14331


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Given the importance of business continuity planning, the Chief Executive of AIs should prepare and sign-off a formal annual statement submitted to the Board on whether the recovery strategies adopted are still valid and whether the documented BCPs are properly tested and maintained. The annual stat… (2.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • The security function should have updated status regarding numbers of unmitigated, critical vulnerabilities, for each department/division, plan for mitigation and should share vulnerability reports indicating critical issues with senior management to provide effective incentives for mitigation. (Critical components of information security 16) ii.e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An institution should notify MAS as soon as possible of any adverse development arising from its outsourcing arrangements that could impact the institution. Such adverse developments include any event that could potentially lead to prolonged service failure or disruption in the outsourcing arrangeme… (4.2.1, Guidelines on Outsourcing)
  • Where the board delegates its responsibility to a committee as described in paragraph 5.2.2, the board should establish communication procedures between the board and the committee. This should include requiring the committee to report to the board on a regular basis, and ensuring that senior manage… (5.2.4, Guidelines on Outsourcing)
  • roles and responsibilities — clearly outline for management how the Board expects to be engaged, including delegation of responsibilities, escalation of risks, issues and reporting requirements (including schedule, format, scope and content). Refer to Attachment H for common examples of the types … (8(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • information security reporting and analytics; (16(f)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A regulated institution would typically develop a formalised IT security reporting framework that provides operational information and oversight across the various dimensions of the IT security risk management framework. The framework would incorporate clearly defined reporting and escalation thresh… (¶ 76, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The processing and sharing of information in business and service processes is supported by data-processing IT systems and related IT processes. The scope and quality thereof shall be based, in particular, on the institution's internal operating needs, business activities and risk situation (see AT … (II.3.8, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Reports of unscheduled deviations from standard operations (disruptions) and their causes shall, in a suitable way, be recorded, evaluated, prioritised with particular regard to potentially resulting risks, and escalated according to defined criteria. The processing, analysis of causes, and identifi… (II.7.50, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • A firm's senior management are responsible for ensuring that the firm conducts its business with integrity and tackles the risk that the firm, or anyone acting on its behalf, engages in bribery and corruption. A firm's senior management should therefore be kept up-to-date with, and stay fully abreas… (6.2.1 ¶ 1, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • Establish a plan to provide desired reports to management, the governing authority, and stakeholders, while ensuring compliance with mandatory reporting and filing requirements. (OCEG GRC Capability Model, v. 3.0, P3.1 Develop Reporting Plan, OCEG GRC Capability Model, v 3.0)
  • An organization should choose a format, content and timing of its internal compliance reporting that is appropriate to its circumstances, unless otherwise specified by law. (§ 9.1.7 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • A clear and timely escalation process should be adopted and communicated to ensure that all noncompliances are raised, reported and eventually escalated to relevant management, and that the compliance function is informed and able to support the escalation. Where appropriate, escalation should be to… (§ 10.1.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • timelines for regular reporting are established; (§ 9.1.4 ¶ 1 b), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall establish, implement and maintain processes for compliance reporting to ensure that: (§ 9.1.4 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • timelines for regular reporting are established; (§ 9.1.4 ¶ 1 b), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the IT asset management performance, including financial and non-financial performance; and (Section 9.1 ¶ 3 bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the effectiveness of the IT asset management system. (Section 9.1 ¶ 3 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the stakeholder requirements for recording financial and non-financial information relevant to IT asset management, and for reporting on it both internally and externally. (Section 4.2 ¶ 1 bullet 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall determine reporting requirements and their purpose. (§ 9.4 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The frequency of reporting should be commensurate with the severity and priority of the risk. Reporting should enable management to determine the types and amount of risk assumed by the organization, its ongoing appropriateness, and the suitability of existing risk responses. For example, changes in… (Reporting Frequency and Quality ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management works closely with those who will use reports to identify what information is required, how often they need the reports, and their preferences in how reports are presented. Management is responsible for implementing appropriate controls so that reporting is accurate, clear, and complete. (Reporting Frequency and Quality ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Often the service organization's system of internal control includes monitoring activities and system reports for management that permit management to continuously or periodically monitor the operating effectiveness of controls. Management may also make use of internal audit evaluations as part of i… (¶ 2.119, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • the types and frequency of communications made to executive management and others about the security, availability, and processing integrity of the system and the confidentiality or privacy of the information it uses (¶ 3.59 Bullet 7 Sub-Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If executive management delegates any of its responsibilities under Section 4 of this Act, it shall oversee the development, implementation and maintenance of the Licensee's Information Security Program prepared by the delegate(s) and shall receive a report from the delegate(s) complying with the re… (Section 4.E ¶ 1(3), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Documentation of the data types maintained, data owners and users, and purposes of reports. (App A Objective 3:9f Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Inclusion of processes for obtaining approvals, making changes to the plan, and reporting, as appropriate. (App A Objective 12:3c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Placement and selection of storage, design of network topology, availability of bandwidth, and need for management reporting systems, as well as implementation of monitoring tools. (App A Objective 12:5d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should have appropriate ITAM processes to track, manage, and report on the entity's information and technology assets. (III.B Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management implements appropriate ITAM processes to track, manage, report on the entity's information and technology assets. (III.B, "IT Asset Management") (App A Objective 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine the effectiveness and comprehensiveness of board and senior management reporting related to AIO. Evaluate whether the following activities are performed: (App A Objective 2:13, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the reporting structure ensures that the CISO has the appropriate authority to carry out its responsibilities and that there are no conflicts of interest in the ability of the CISO to make decisions in line with the risk appetite. (App A Objective 2:12, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Activity reporting, monitoring, and reconcilement are conducted daily, or more frequently based upon activity; (TIER II OBJECTIVES AND PROCEDURES E.1. Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)
  • Review management reports for all retail payment services including reports from service providers. (App A Tier 1 Objectives and Procedures Objective 5:1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Information to meet the needs of the various levels of management. (AppE.7 Objective 6:2 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Provide daily summary reports of network events and activity relevant to cyber defense practices. (T0198, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the information security program of the licensee prepared by the delegate and shall receive a report from the delegate complying with the requirement… (Section 27-62-4(e)(3), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • If a licensee's executive management delegates any of its responsibilities under subparagraph (A) or (B) of this subdivision, it shall oversee the development, implementation and maintenance of the licensee's information security program prepared by the delegate or delegates, and shall receive a rep… (Part VI(c)(5)(C), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • The delegate shall submit to executive management a report that complies with the requirements of the report to the board of directors under paragraph (e)(2) of this section. (§ 8604.(e)(3) b., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • If executive management delegates any of its responsibilities under this part, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate and shall receive a report from the delegate complying with the requirements of the… (§431:3B-204(3), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • If a licensee’s executive management delegates any of its responsibilities under this section the executive management shall oversee the delegate’s development, implementation, and maintenance of the licensee’s information security program, and shall require the delegate to submit an annual wr… (507F.4 5.b., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • If executive management delegates any of the responsibilities provided for in this Section, management shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and shall receive a report from the delegates complying with … (§2504.E.(3), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • If a licensee's executive management delegates any of its responsibilities under this section, the licensee's executive management shall oversee each delegate's efforts with respect to the development, implementation and maintenance of the licensee's information security program and shall require ea… (§2264 5. ¶ 1, Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by a delegate and shall receive a report from the delegate complying with the requirements of th… (Sec. 555.(5)(b)(iii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • if executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate and shall receive a report from the delegate complying with the requirements of … (§ 60A.9851 Subdivision 5(3), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation and maintenance of the licensee’s information security program prepared by the delegate(s) and shall receive a report from the delegate(s) complying with the requireme… (§ 83-5-807 (5)(c), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • If executive management delegates any of its responsibilities under RSA 420-P:4, it shall oversee the development, implementation and maintenance of the licensee's program prepared by the delegates and shall receive a report from the delegates complying with the requirements of the report to the boa… (§ 420-P:4 V.(c), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Report. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity's board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entit… (§ 500.04 Chief Information Security Officer (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • overall effectiveness of the Covered Entity's cybersecurity program; and (§ 500.04 Chief Information Security Officer (b)(4), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • If executive management delegates any responsibilities under this section, the executive management delegates shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate and shall receive a report from the delegate complying … (26.1-02.2-03. 5.c., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and shall require the delegates to submit a report that complies with the requi… (Section 3965.02 (E)(3), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • If the executive management of a licensee delegates any of its responsibilities under this chapter, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and receive a report from the delegates which must comply wit… (SECTION 38-99-20. (E)(2), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • If the licensee's executive management delegates any of the executive management's responsibilities under this section, then the executive management must oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegates and must either… (§ 56-2-1004 (5)(C), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • If executive management delegates any of its responsibilities under this section, it shall oversee the development, implementation, and maintenance of the licensee's information security program prepared by the delegate and shall receive a report from the delegate complying with the requirements of … (§ 38.2-623.D.2., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)