Recognize personnel who reinforce desirable conduct with incentives.

CONTROL ID
12815

CONTROL TYPE
Human Resources Management

CLASSIFICATION
Preventive

This Control directly supports the implied Control(s):

Establish job categorization criteria, job recruitment criteria, and promotion criteria., CC ID: 00781

There are no implementation support Controls.

The security function should have updated status regarding numbers of unmitigated, critical vulnerabilities, for each department/division, plan for mitigation and should share vulnerability reports indicating critical issues with senior management to provide effective incentives for mitigation. (Critical components of information security 16) ii.e., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Implement incentives that motivate desired conduct and recognize those who contribute to positive outcomes to reinforce desired conduct. (OCEG GRC Capability Model, v. 3.0, P5 Incentives, OCEG GRC Capability Model, v 3.0)
targets, key performance indicators (KPIs) and associated incentives, including financial remuneration (see 6.4.3); (§ 6.3.3.2.2 ¶ 2 i), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
Retain: Provide incentives to motivate an individual and reinforce the desired level of performance and conduct. This includes offering training and credentialing as appropriate. (Attracting, Developing, and Retaining Individuals ¶ 1 Bullet 5, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)