Back

Assign accountability for maintaining the Governance, Risk, and Compliance framework.


CONTROL ID
12523
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • These responsibilities can be delegated, in writing, to a designated committee or operational unit, however overall accountability remains with the responsible officer(s) or executive officer(s). (3.1. ¶ 2, Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • the internal organisation of the institution or the payment institution; (4.6 36(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • a governance framework to achieve the objectives and priorities of the national strategy on the security of network and information systems, including roles and responsibilities of the government bodies and the other relevant actors; (Art. 7.1(b), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • Where ICT third-party service providers are included in the scope of TLPT, the financial entity shall take the necessary measures and safeguards to ensure the participation of such ICT third-party service providers in the TLPT and shall retain at all times full responsibility for ensuring compliance… (Art. 26.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Define, establish and align the IT governance framework with the overall enterprise governance and control environment. Base the framework on a suitable IT process and control model and provide for unambiguous accountability and practices to avoid a breakdown in internal control and oversight. Confi… (ME4.1 Establishment of an IT Governance Framework, CobiT, Version 4.1)
  • Additional requirement for service providers only: Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: - Overall accountability for maintaining PCI DSS compliance - Defining a charter for a PCI DSS compliance program … (12.4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include: - Overall accountability for maintaining PCI DSS compliance - Defining a charter for a PCI DSS compliance program and communication to executive management (12.4.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Has executive management assigned overall accountability for maintaining the entity’s PCI DSS compliance? (12.4.1(a), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • For service providers only: Have executive management established responsibility for the protection of cardholder data and a PCI DSS compliance program, as follows: (12.4.1, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine documentation to verify executive management has assigned overall accountability for maintaining the entity’s PCI DSS compliance. (12.4.1.a, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Overall accountability for maintaining PCI DSS compliance. (12.4.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Overall accountability for maintaining PCI DSS compliance. (A3.1.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Overall accountability for maintaining PCI DSS compliance. (12.4.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Define and document roles and responsibilities for planning, implementing, operating, assessing, and improving governance programs. (GRC-06, Cloud Controls Matrix, v4.0)
  • appropriate authority and adequate resources allocated to the compliance function. (§ 4.4 ¶ 1 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the degree of independence and autonomy of the compliance function; (§ 5.2.1 ¶ 2 Bullet 5, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Management should be responsible for compliance within its area of responsibility. This includes: (§ 5.3.5 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • who will be responsible; (§ 6.2 ¶ 3 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • authority and responsibility for the design, consistency and integrity of the compliance management system; (§ 5.3.3 ¶ 1 d) 1), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Top management and oversight bodies, where applicable, should ensure that the authorities, responsibilities and accountabilities for relevant roles with respect to risk management are assigned and communicated at all levels of the organization, and should: - emphasize that risk management is a core … (§ 5.4.3 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment by: - customizing and implementing all components of the framework; - issuing a statement or policy that establi… (§ 5.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • Top management and oversight bodies, where applicable, should demonstrate and articulate their continual commitment to risk management through a policy, a statement or other forms that clearly convey an organization's objectives and commitment to risk management. The commitment should include, but i… (§ 5.4.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • "Governance" and "management" are distinct, necessary and complementary activities that interact and influence one another. Governance involves setting and being accountable for the organization's fulfilment of its purpose within the parameters set for the organization, whereas management is about f… (§ 4.2.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Governance is exercised throughout the organization by governing groups, including: (§ 4.2.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • member stakeholders; (§ 4.2.1 ¶ 1 Bullet 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • managers; (§ 4.2.1 ¶ 1 Bullet 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • other internal functions of the organization. (§ 4.2.1 ¶ 1 Bullet 4, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. (Table 1 Column 4 Row 6, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that the responsibilities for developing and approving all policies are clear and that governance policies are not open to change without the governing body's agreement. (§ 6.3.3.1.2 ¶ 4, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that those to whom they delegate are empowered to create management policies, which are consistent with the governance policies, and are also empowered to provide proposals for changes to the governance policies. (§ 6.3.3.1.2 ¶ 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Accountable people can delegate to others. However, it should be made clear that those who delegate remain accountable for their delegate's use of that authority. (§ 4.2.2 ¶ 4, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should demonstrate its accountability to the organization as a whole and hold to account those to whom it has delegated. (§ 6.5.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairne… (§ 6.5.3.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The compliance function shall be responsible for the operation of the compliance management system including the following: (§ 5.3.2 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the allocation or reallocation of responsibilities and authorities. (§ 6.3 ¶ 2 bullet 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The compliance function shall be responsible for the operation of the compliance management system including the following: (§ 5.3.2 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the allocation or reallocation of responsibilities and authorities. (§ 10.2 ¶ 3 bullet 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • According to ISO/IEC TR 38502:2017, 4.1.3, managers are responsible for ensuring the achievement of the objectives of the organization within the strategies and policies established by the governing body. The task of governing is accomplished in close cooperation between the governing body and manag… (§ 6.1 ¶ 6, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • The board of directors ultimately holds the chief executive officer accountable for managing the risk faced by the entity by establishing enterprise risk management practices and capabilities to support the achievement of the entity's strategy and business objectives. The chief executive officer and… (Enforcing Accountability ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • information security standards promulgated under section 11331 of title 40; (§ 3554(a)(1)(B)(i), Federal Information Security Modernization Act of 2014)
  • information security standards and guidelines for national security systems issued in accordance with law and as directed by the President; and (§ 3554(a)(1)(B)(iv), Federal Information Security Modernization Act of 2014)
  • Pursuant to the National Crime Prevention and Privacy Compact, each party state shall appoint a Compact Officer who shall ensure that Compact provisions and rules, procedures, and standards established by the Compact Council are complied with in their respective state. (§ 3.2.12 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Pursuant to the National Crime Prevention and Privacy Compact, each party state shall appoint a Compact Officer who shall ensure that Compact provisions and rules, procedures, and standards established by the Compact Council are complied with in their respective state. (§ 3.2.12 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • Accountability. (App A Objective 2:10c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management promotes and provides effective governance of AIO functions through defined responsibilities, accountability, and adequate resources to support these functions. (II, "Architecture, Infrastructure, and Operations Governance") (App A Objective 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • As part of the ITRM structure, determine whether financial institution management has defined IT responsibilities and functions. Verify the existence of well-defined responsibilities and expectations between risk management and IT functional areas, such as information security, project management, b… (App A Objective 3, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review the institution's established lines of authority for enforcing and monitoring controls. (App A Objective 3:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • C-SCRM requires accountability, commitment, oversight, direct involvement, and ongoing support from senior leaders and executives. Enterprises should ensure that C-SCRM roles and responsibilities are defined for senior leaders who participate in supply chain activities (e.g., acquisition and procure… (2.3.2. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)