Back

Assess the effectiveness of the communication methods used in the communication protocol.


CONTROL ID
12691
CONTROL TYPE
Process or Activity
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol., CC ID: 12419

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The FI should keep customers informed of any major incident. The FI should also assess the effectiveness of the mode of communication, including informing the general public, where necessary. (§ 7.3.9, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The Board, governing bodies and individuals would typically define their information requirements (e.g. schedule, format, scope and content) to ensure they are provided with sufficient and timely information to effectively discharge their information security roles and responsibilities. Reporting to… (13., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • the effectiveness of internal and external communication. (Art. 13.2. ¶ 3(d), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Communication links to the outside world, i.e. which lead into or through uncontrolled areas (e.g. to the Internet or over land to which the public have access). These may also be wireless communication links because it is difficult to prevent access to them on public property. For external connecti… (§ 8.2.8 ¶ 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • To prepare the way for decisions as to which communication routes require the use of cryptographic security safeguards, which parts of the network should have built-in redundancy and over which connections attacks by insiders and external adversaries are to be expected, the various communication lin… (§ 8.2.8 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • ensure its communication process(es) enable(s) persons doing work under the organization's control to contribute to continual improvement. (§ 7.4.2 ¶ 1 b), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • confirm communication channels with the auditee's representatives; (§ 6.2.2 ¶ 1(a), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • how it will communicate. (§ 7.4.1 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the effectiveness of the reporting system. (§ 9.3.2 ¶ 2 bullet 9, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensure its communication process(es) enables personnel to contribute to continual improvement of the compliance management system; (§ 7.4 ¶ 2 bullet 7, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the effectiveness of the reporting system. (§ 9.3 ¶ 3 bullet 7, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • ensure its communication process(es) enables personnel to contribute to continual improvement of the compliance management system. (§ 7.4 ¶ 7 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Due to the particular importance of trust and accountability related to the development and use of AI, top management should consider how policies and statements related to AI risks and risk management are communicated to stakeholders. Demonstrating this level of leadership and commitment can be cri… (§ 5.2 ¶ 3, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • For information to be received as intended, it must be communicated clearly. To be sure communication methods are working, organizations should periodically evaluate them. This can be done through existing processes such as stating expectations for enterprise risk management in employee performance … (Methods of Communicating ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization tests and validates the effectiveness of the incident reporting and communication processes and protocols with internal and external stakeholders. (DE.DP-4.2, CRI Profile, v1.2)
  • The organization tests and validates the effectiveness of the incident reporting and communication processes and protocols with internal and external stakeholders. (DE.DP-4.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Reading contracts with user entities and business partners (such as performance or service level agreements), marketing materials distributed to user entities and business partners or posted on the service organization's website, and other available documentation to (¶ 3.59 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • the types and frequency of communications made to executive management and others about the security, availability, and processing integrity of the system and the confidentiality or privacy of the information it uses (¶ 3.20 Bullet 4 Sub-Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Communication and connectivity between the entity and third-party service providers. (App A Objective 10:8e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Conduct analysis of target communications to identify essential information in support of organization objectives. (T0842, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Monitor operational status and effectiveness of the processing, exploitation and dissemination architecture. (T0753, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct analysis of target communications to identify essential information in support of organization objectives. (T0842, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Monitor operational status and effectiveness of the processing, exploitation and dissemination architecture. (T0753, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes ar… (Bullet 1: Governance and Risk Assessment, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)