Back

Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities.


CONTROL ID
12895
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Optimisation of information security investments in support of organizational objectives (Information Security Governance ¶ 2 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Competent authorities should assess whether the institution's general governance and internal control framework duly cover the ICT systems and related risks and if the management body adequately addresses and manages these aspects, as ICT is integral to the proper functioning of an institution. (Title 2 2.1 20., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Evaluate and integrate use of technologies to support GRC capabilities. (OCEG GRC Capability Model, v 3.0, A5.8 Establish Technology Architecture, OCEG GRC Capability Model, v 3.0)
  • When planning these actions, the organization shall consider its technological options and its financial, operational and business requirements. (§ 6.1.4 ¶ 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization should consider the capabilities of, and constraints on, existing resources. (§ 5.4.4 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; (§ 6.4.3.2 ¶ 1 i), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • extent and diversity of technology utilized in the implementation of the various components of the ISMS (such as the implemented controls, documented information and/or process control, technological platforms and solutions involved, etc.); (§ 7.2.1.2 c), ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • Conduct an SCI review of the SCI entity's compliance with Regulation SCI not less than once each calendar year; provided, however, that: (§242.1003(b)(1), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities. (§ 164.306(b)(2)(ii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Review of the centralization processes for the IT functions and understanding of interrelationships between the entity's IT and business functions. (App A Objective 2:9a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Evaluates whether past and current IT performance demonstrates an ability to support IT strategic plans. (App A Objective 2:6a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Analysis of whether the entity's products and services meet enterprise-wide business and strategic plan objectives from a data perspective. (App A Objective 2:9b Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Considers the use of it to enable personnel to perform their job functions. (App A Objective 13:6c Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Maintenance of representations (e.g., blueprints, network diagrams, and topologies) of the IT environment, review of existing infrastructure and operations to determine IT systems capabilities and needs. (App A Objective 2:9a Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the institution continually assesses the capability of technology needed to sustain an appropriate level of information security based on the size, complexity, and risk appetite of the institution. (App A Objective 6.3, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Monitor advancements in information privacy technologies to ensure organization adoption and compliance. (T0925, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Monitor advancements in information privacy technologies to ensure organization adoption and compliance. (T0925, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)