Back

Report to management and stakeholders on the findings and information gathered from all types of inquiries.


CONTROL ID
12797
CONTROL TYPE
Actionable Reports or Measurements
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain communication protocols., CC ID: 12245

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Under CPS 234, an APRA-regulated entity must annually review and test its information security response plans to ensure they remain effective and fit-for-purpose. It is important that the success criteria for such tests are clearly defined, including the circumstances under which re-testing would be… (74., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • It is important that success criteria for tests are clearly defined, including the circumstances under which re-testing would be required. Test results would be reported to the appropriate governing body or individual, with associated follow-up actions formally tracked and reported. (81., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • if competent authorities come to the conclusion that the institution's governance framework is inadequate for developing and implementing the institution's ICT strategy under 2.2 then this should inform the assessment of the institution's internal governance in Title 5 of the EBA SREP Guidelines und… (Title 2 2.5 34.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly re… (Art. 38.3., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Measure project performance against key project performance scope, schedule, quality, cost and risk criteria. Identify any deviations from the plan. Assess the impact of deviations on the project and overall programme, and report results to key stakeholders. Recommend, implement and monitor remedial… (PO10.13 Project Performance Measurement, Reporting and Monitoring, CobiT, Version 4.1)
  • Provide information and findings from all methods of inquiry to management and stakeholders. (OCEG GRC Capability Model, v. 3.0, P7.5 Report Information and Findings, OCEG GRC Capability Model, v 3.0)
  • Define and implement a process for tracking and reporting vulnerability identification and remediation activities that includes stakeholder notification. (TVM-09, Cloud Controls Matrix, v4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective action plan to remediate audit findings, review and report remediation status to relevant stakeholders. (A&A-06, Cloud Controls Matrix, v4.0)
  • During the audit, the audit team leader should periodically communicate the progress, any significant findings and any concerns to the auditee and audit client, as appropriate. Evidence collected during the audit that suggests an immediate and significant risk should be reported without delay to the… (§ 6.4.4 ¶ 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • A clear and timely escalation process should be adopted and communicated to ensure that all noncompliances are raised, reported and eventually escalated to relevant management, and that the compliance function is informed and able to support the escalation. Where appropriate, escalation should be to… (§ 10.1.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • communicate the results of the management review to relevant interested parties; (§ 9.3.3.2 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • outputs, outcomes and the processes to achieve the responsibilities are periodically reported and presented with evidence that actions taken are reasonable and appropriate; (§ 4.2.2 ¶ 2 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • report on the process and outcomes of assessments to relevant stakeholders (see 6.5.3). (§ 4.3.2 ¶ 2 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • accountability through accurate and timely reporting on its performance and stewardship of resources; (§ 5 ¶ 2 c) 2), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • provide information about the organization, including: (§ 6.5.3.2 ¶ 1 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where … (§ 6.2.3.5 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • reporting on the performance of the compliance management system to the governing body and top management. (§ 5.3.1 ¶ 2 b), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall regularly report on the numbers and outcomes of investigations to the governing body or top management. (§ 8.4 ¶ 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensure that the results of the audits are reported to relevant management; (9.2.2 ¶ 1(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall regularly report on the numbers and outcomes of investigations to the governing body or top management. (§ 8.4 ¶ 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • reporting on the performance of the compliance management system to the governing body and top management. (§ 5.3.1 ¶ 2 b), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Actively monitor and report disease trends, impacts, population perspective to global laboratory/epidemiology systems including anonymized clinical data, case fatality ratio, high-risk groups (pregnant women, immunocompromised) and children (Pillar 3 Step 2 Action 3, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Produce weekly epidemiological and social science reports and disseminate to all levels and international partners (Pillar 3 Step 3 Action 3, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Monitor and evaluate diagnostics, data quality and staff performance, and incorporate findings into strategic review of national laboratory plan and share lessons learned (Pillar 5 Step 3 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Communications from regulatory agencies or others, if relevant (AT-C Section 210.21 d., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Reporting – The head of the internal audit function shall report to the audit committee regularly, but no less than annually, on the periodic audit plan, factors that may adversely impact the internal audit function's independence or effectiveness, material findings from completed audits and the a… (Section 15.D., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • The audit committee may delegate to one or more designated members of the audit committee the authority to grant the preapprovals required by Subsection J. The decisions of any member to whom this authority is delegated shall be presented to the full audit committee at each of its scheduled meetings… (Section 7.K., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Discuss corrective action and communicate findings. (App A Objective 13, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether reports include a written BCM presentation, including the BIA, risk assessment, BCP, exercise and test results, and identified issues. (App A Objective 12:1a, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Ownership of the entity's strategic use of data and communication of information and data analytics. (App A Objective 2:9b Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Is familiar with procedures to protect sensitive information, restores normal operations, and notifies the information security officer when necessary. (App A Objective 3:6h Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Discuss findings with management and obtain proposed corrective action for significant deficiencies. (App A Objective 11.2, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • C-SCRM requires accountability, commitment, oversight, direct involvement, and ongoing support from senior leaders and executives. Enterprises should ensure that C-SCRM roles and responsibilities are defined for senior leaders who participate in supply chain activities (e.g., acquisition and procure… (2.3.2. ¶ 4, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Provide actionable recommendations to critical stakeholders based on data analysis and findings. (T0385, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters. (T0213, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters. (T0213, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)