Back

Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol.


CONTROL ID
12419
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain communication protocols., CC ID: 12245

This Control has the following implementation support Control(s):
  • Assess the effectiveness of the communication methods used in the communication protocol., CC ID: 12691


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • in any other case, in the Chinese or English language as the data user thinks fit. (Part 5 Division 3 Section 29 ¶ 1(b), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • The information provided under subsection (2)(a) and (b) must be presented in a manner that is easily understandable and, if in written form, easily readable. (Part 6A Division 2 Section 35C(4), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • The information provided under subsection (2)(a) and (b) must be presented in a manner that is easily understandable and easily readable. (Part 6A Division 3 Section 35J(4), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • If a data user is required to notify a person to cease to use a data subject's personal data in direct marketing under a requirement referred to in subsection (1)(b), the data user must so notify the person in writing. (Part 6A Division 3 Section 35L(4), Hong Kong Personal Data (Privacy) Ordinance, E.R. 1 of 2013)
  • Use a fax cover sheet for documents being faxed, stating the recipient and sender details, the security classification and the number of pages in the document. (Annex A2: Security for Printers, Copiers, Scanners and Fax Machines (MFPs) 23, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • Provide advance notice to the fax recipient, such as by asking the recipient to wait at the fax machine before sending the fax. (Annex A2: Security for Printers, Copiers, Scanners and Fax Machines (MFPs) 24, Singapore(PDPC) Guide to Securing Personal Data in Electronic Medium, Revised 20 January 2017)
  • The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is received and notify the sender if the fax message does not arrive in an agreed amount of time. (Security Control: 1075; Revision: 1, Australian Government Information Security Manual)
  • In APRA's view, effective information security reporting normally incorporates both quantitative and qualitative content. For non-technical audiences, technical information and metrics would be supplemented with appropriate thematic analysis and commentary on business implications. Attachment H illu… (14., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • The PRA expects notifications of material outsourcing to include, at least, the information in paragraph 54 of the EBA Outsourcing GL. (§ 5.16, SS2/21 Outsourcing and third party risk management, March 2021)
  • In line with SS5/16 'Corporate governance: Board responsibilities', the PRA expects management information on outsourcing provided to the board to be clear, consistent, robust, timely, and well-targeted, and to contain an appropriate level of technical detail to facilitate effective oversight and ch… (§ 4.4 ¶ 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • Integrate IT reporting on legal, regulatory and contractual requirements with similar output from other business functions. (ME3.5 Integrated Reporting, CobiT, Version 4.1)
  • Deliver and receive relevant, reliable, and timely information to the right audiences, as required by mandates, or as needed to perform responsibilities and effectively shape attitudes. (OCEG GRC Capability Model, v. 3.0, P3 Communication, OCEG GRC Capability Model, v 3.0)
  • The nature, quantity, and precision of information communicated are commensurate with and support the achievement of objectives. (§ 3 Principle 13 Points of Focus: Considers Costs and Benefits, COSO Internal Control - Integrated Framework (2013))
  • ensure that environmental information communicated is consistent with information generated within the environmental management system, and is reliable. (§ 7.4.1 ¶ 2 Bullet 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization should adopt appropriate methods of communication to ensure that the compliance message is heard and understood by all employees on an on-going basis. The communication should clearly set out the organization's expectation of employees and those noncompliances that are expected to b… (§ 7.4.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • process control logs and activity records (including both computer and paper based). (§ 9.1.3 ¶ 1 Bullet 5, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Reporting on compliance should be incorporated in standard organizational reports. (§ 9.1.7 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • on what it will communicate; (§ 7.4.1 ¶ 1 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • on what it will communicate; (§ 7.4 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • communicating internally and externally to relevant interested parties, including what, when, with whom and how to communicate; (§ 8.4.3.1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • are transparent but also within the limits of confidentiality; (§ 6.5.3.2 ¶ 1 f), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • exercise its right and responsibility to determine and receive the information it requires, including determining the appropriate data collection methods, preparation and timely delivery of information; (§ 6.8.3.2.1 ¶ 1 f), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • on what it will communicate; (§ 7.4 ¶ 1 a), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensure that compliance information to be communicated is consistent with information generated within the compliance management system and is reliable; (§ 7.4 ¶ 2 bullet 3 sub-bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • on what it will communicate; (7.4 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • ensure that compliance information to be communicated is consistent with information generated within the compliance management system and is reliable. (§ 7.4 ¶ 4 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • on what it will communicate; (§ 7.4 ¶ 1 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall determine reporting requirements and their purpose. (§ 9.4 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization should identify the requirements for communication on relevant issues: (§ 7.4 Guidance ¶ 3, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • the communication means and channels. Communication should use dedicated means and channels, to make sure that the message is official and bears the appropriate authority. Communication channels should address any needs for the protection of the confidentiality and integrity of the information trans… (§ 7.4 Guidance ¶ 3(o), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization's reporting requirements and capabilities are consistent with information-sharing arrangements within the organization's communities and the financial sector. (RS.CO-2.4, CRI Profile, v1.2)
  • Reputation after an event is repaired. (RC.CO-2, CRI Profile, v1.2)
  • The organization's reporting requirements and capabilities are consistent with information-sharing arrangements within the organization's communities and the financial sector. (RS.CO-2.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Extensions of the June 1 filing date may be granted by the commissioner for thirty-day periods upon a showing by the insurer and its independent certified public accountant of the reasons for requesting an extension and determination by the commissioner of good cause for an extension. The request fo… (Section 4.B., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The Director's report to Congress under this subsection shall summarize information regarding information security relating to national security systems in such a manner as to ensure appropriate protection for information associated with any information security vulnerability in such system commensu… (§ 3555(g)(2), Federal Information Security Modernization Act of 2014)
  • CSP's reporting requirements to DoD will align with the reporting lexicon used by US-CERT for the broader Federal Government reporting requirements. Incident notifications should include a description of the incident and as much of the following information as possible: (Section 6.5.2 ¶ 3, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Determine whether the board has established expectations for BCM reporting. (IX, "Board Reporting") (App A Objective 12, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Are communicated in a clear and understandable manner. (App A Objective 6.1.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer's provision of electronic banking credentials; (Customer Awareness and Education ¶ 1 Bullet 2, Supplement to Authentication in an Internet Banking Environment)