Back

Leverage actionable information to support internal controls.


CONTROL ID
12414
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • In assessing the institution's institution-wide risk management and internal controls, as provided by Title 5 of the EBA SREP Guidelines, competent authorities should consider whether the institution's risk management and internal control framework adequately safeguards the institution's ICT systems… (Title 2 2.4 30., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Comprehensible documentation must be provided explaining why the selected safeguards are appropriate for achieving the security objectives and requirements. (§ 8.1 Subsection 5 ¶ 3, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Ensure required support and resources, including change management, are furnished to achieve established objectives and follow direction of the plans. (OCEG GRC Capability Model, v 3.0, A5.10 Enable Execution, OCEG GRC Capability Model, v 3.0)
  • The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. (§ 3 Principle 13 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • Feedback should serve as a key source of continuous improvement of the compliance management system. (§ 9.1.3 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • justification for their inclusion; (§ 6.1.3 ¶ 1 d) Bullet 2, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • the justification for the control's inclusion; and (§ 6.1.3 Guidance ¶ 12 Bullet 1 Sub-bullet 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • When assessing the applicability of control objectives and controls from ISO/IEC 27001:2013 Annex A for the treatment of risks, the control objectives and controls shall be considered in the context of both risks to information security as well as risks related to the processing of PII, including ri… (§ 5.4.1.3 ¶ 4, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • justification for their inclusion; (§ 5.4.1.3 ¶ 6 Bullet 2, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. (CC2.1 ¶ 1 COSO Principle 13:, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity documents and uses internal and external information and data flows to support the design and operation of controls. (CC2.1 ¶ 4 Bullet 1 Documents Data Flow, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. (CC2.1 COSO Principle 13, Trust Services Criteria)
  • The entity obtains or generates and uses relevant, quality information to support the functioning of internal control. (CC2.1 ¶ 1 COSO Principle 13:, Trust Services Criteria, (includes March 2020 updates))
  • PUBLIC NOTICE AND COMMENT.—Each agency shall provide the public with timely notice and opportunities for comment on proposed information security policies and procedures to the extent that such policies and procedures affect communication with the public. (§ 3554(e), Federal Information Security Modernization Act of 2014)