Back

Define and assign roles and responsibilities for those involved in risk management.


CONTROL ID
13660
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Define and assign workforce roles and responsibilities., CC ID: 13267

This Control has the following implementation support Control(s):
  • Include the management structure in the duties and responsibilities for risk management., CC ID: 13665


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • the management and staff of the relevant business lines and support functions (i.e., the first line of defense) are accountable for, and competent in, assessing and monitoring the relevant risks and implementing the required risk management controls; and (§ 3.2.1(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • It is necessary to appoint network administrators to manage how networks are operated, and to perform access control and monitoring. (C8.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The process of risk management is an ongoing iterative process. The business environment is constantly changing and new threats and vulnerabilities emerge every day. The choice of countermeasures or controls used to manage risks must strike a balance between productivity, cost-effectiveness of the c… (Critical components of information security 2) 4), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Both the board of directors and senior management should have members with the knowledge to understand and manage technology risks, which include risks posed by cyber threats. (§ 3.1.2, Technology Risk Management Guidelines, January 2021)
  • ensuring the roles and responsibilities of staff in managing technology risks are delineated clearly; and (§ 3.1.8(d), Technology Risk Management Guidelines, January 2021)
  • risk management, assurance and compliance roles; and (¶ 27(i)(iv), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • IT security risk management framework roles: maintenance, ongoing review, compliance monitoring, training and awareness; (¶ 27(i)(i), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • In APRA's view, the IT security risk management framework would encapsulate the expectations of the Board and senior management, have a designated owner(s), and outline the roles and responsibilities of staff to ensure the achievement of effective IT security risk management outcomes. The framework … (¶ 25, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and busin… (3.2.1 2, Final Report EBA Guidelines on ICT and security risk management)
  • The management body has overall accountability for setting, approving and overseeing the implementation of financial institutions' ICT strategy as part of their overall business strategy as well as for the establishment of an effective risk management framework for ICT and security risks. (3.2.1 4, Final Report EBA Guidelines on ICT and security risk management)
  • regular and proactive threat assessments to maintain appropriate security controls. (Title 3 3.3.4(b) 55.a(v), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • that the risk responsibilities and roles are clearly communicated, allocated and embedded in all relevant parts (e.g. business lines, IT) and processes of the organisation, including the roles and responsibilities for gathering and aggregating the risk information and reporting it to senior manageme… (Title 3 3.3.2 50.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Competent authorities should assess how the applicable risk management roles and responsibilities are embedded and integrated in the internal organisation to manage and oversee the identified material ICT risks. In this regard competent authorities should assess whether the institution demonstrates: (Title 3 3.3.2 50., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • clear roles and responsibilities for the identification, assessment, monitoring, mitigation, reporting and oversight of the involved material ICT risk; (Title 3 3.3.2 50.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The management body of the financial entity shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework referred to in Article 6(1). (Art. 5.2. ¶ 1, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • bear the ultimate responsibility for managing the financial entity's ICT risk; (Art. 5.2. ¶ 2(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Financial entities, other than microenterprises, shall assign the responsibility for managing and overseeing ICT risk to a control function and ensure an appropriate level of independence of such control function in order to avoid conflicts of interest. Financial entities shall ensure appropriate se… (Art. 6.4., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • As part of the ICT risk management framework referred to in Article 6(1), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and depend… (Art. 8.1., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • knowledge on threats and vulnerabilities within the industrial control, (§ 4.7 ¶ 9 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The institution shall ensure that appropriate staff, in terms of both quality and quantity, are available for information risk management, information security management, IT operations and application development in particular. (II.2.5, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The processing and sharing of information in business and service processes is supported by data-processing IT systems and related IT processes. The scope and quality thereof shall be based, in particular, on the institution's internal operating needs, business activities and risk situation (see AT … (II.3.8, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Measures for handling information security risks and the persons responsible for these are specified and documented: (1.4.1 Requirements (should) Bullet 3, Information Security Assessment, Version 5.1)
  • A responsible person (risk owner) is assigned to each information security risk. This person is responsible for the assessment and handling of the information security risks. (1.4.1 Requirements (must) Bullet 4, Information Security Assessment, Version 5.1)
  • Top management and oversight bodies, where applicable, should ensure that the authorities, responsibilities and accountabilities for relevant roles with respect to risk management are assigned and communicated at all levels of the organization, and should: - emphasize that risk management is a core … (§ 5.4.3 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • Top management and oversight bodies, where applicable, should demonstrate and articulate their continual commitment to risk management through a policy, a statement or other forms that clearly convey an organization's objectives and commitment to risk management. The commitment should include, but i… (§ 5.4.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes. Ongoing monitoring and periodic review of the risk management process and its outcomes should be a planned part of the risk management process, with responsibil… (§ 6.6 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • When planning the approach, considerations include: - objectives and decisions that need to be made; - outcomes expected from the steps to be taken in the process; - time, location, specific inclusions and exclusions; - appropriate risk assessment tools and techniques; - resources required, responsi… (§ 6.3.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • establishes the desired risk culture across the organization that encourages the reporting and communication of new and emerging risks, and ensures that every person in the organization understands their risk management responsibility; (§ 6.9.3.2 ¶ 2 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • with responsibility for establishing and monitoring processes to address AI risks. (§ 5.4.3 ¶ 2 Bullet 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • with authority to address AI risks; (§ 5.4.3 ¶ 2 Bullet 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • The organization and responsibilities for the information security risk management process should be set up and maintained. The following are the main roles and responsibilities of this organization: (§ 7.4 ¶ 1, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • development of the information security risk management process suitable for the organization; (§ 7.4 ¶ 1 Bullet 1, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • The decision to accept the risks and responsibilities for the decision should be made and formally recorded. (§ 10 Action:, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • This organization should be approved by the appropriate managers of the organization. (§ 7.4 ¶ 2, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • establishment of the required relationships between the organization and stakeholders, as well as interfaces to the organization's high-level risk management functions (e.g. operational risk management), as well as interfaces to other relevant projects or activities; (§ 7.4 ¶ 1 Bullet 4, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • definition of roles and responsibilities of all parties both internal and external to the organization; (§ 7.4 ¶ 1 Bullet 3, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Identify and assign individuals to specific roles associated with security and privacy risk management. (TASK P-1, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The board of directors has the primary responsibility for risk oversight in the entity, and in many countries it has a fiduciary responsibility to the entity's stakeholders, including conducting reviews of enterprise risk management practices. Typically, the full board is responsible for risk oversi… (Accountability and Responsibility ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Effective communication between the board of directors and management is critical for organizations to achieve the strategy and business objectives and to seize opportunities within the business environment. Communicating about risks starts by defining risk responsibilities clearly: who needs to kno… (Communicating with the Board ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats. (GV.IR-1.3, CRI Profile, v1.2)
  • The organization has an independent risk management function. (Independent Risk Management Function (GV.IR), CRI Profile, v1.2)
  • The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats. (GV.IR-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Identifying and assessing risks and addressing such risks through effective internal control is one of the critical roles of management. When a service organization outsources tasks or functions to a subservice organization, it shifts some of the risks associated with performing those tasks or funct… (¶ 3.102, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Roles, responsibilities, procedures, and reporting mechanisms for risk management in AIO activities. (App A Objective 2:8b Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Delineation of other roles and responsibilities. (App A Objective 2:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Utilizing qualified information security personnel employed by you or an affiliate or service provider sufficient to manage your information security risks and to perform or oversee the information security program; (§ 314.4 ¶ 1(e)(2), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. (SR-2(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. (SR-2(1) ¶ 1, FedRAMP Security Controls Low Baseline, Version 5)
  • Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. (SR-2(1) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Executive leadership of the organization takes responsibility for decisions about risks associated with AI system development and deployment. (GOVERN 2.3, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Accountability structures are in place so that the appropriate teams and individuals are empowered, responsible, and trained for mapping, measuring, and managing AI risks. (GOVERN 2, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Roles and responsibilities and lines of communication related to mapping, measuring, and managing AI risks are documented and are clear to individuals and teams throughout the organization. (GOVERN 2.1, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Ongoing monitoring and periodic review of the risk management process and its outcomes are planned and organizational roles and responsibilities clearly defined, including determining the frequency of periodic review (GOVERN 1.5, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Interdisciplinary AI actors, competencies, skills, and capacities for establishing context reflect demographic diversity and broad domain and user experience expertise, and their participation is documented. Opportunities for interdisciplinary collaboration are prioritized. (MAP 1.2, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Practices and personnel for supporting regular engagement with relevant AI actors and integrating feedback about positive, negative, and unanticipated impacts are in place and documented. (MAP 5.2, Artificial Intelligence Risk Management Framework, NIST AI 100-1)
  • Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. (SR-2(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. (SR-2(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. (SR-2(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Form and/or collaborate with a C-SCRM PMO. (Level 2 Mission and Business Process Activities Bullet 8, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Effective C-SCRM requires commitment, direct involvement, and ongoing support from senior leaders and executives. Enterprises should designate the responsibility for leading agency-wide SCRM activities to an executive-level individual, office (supported by an expert staff), or group (e.g., a risk bo… (2.3.2 ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • These leaders are also responsible and accountable for developing and promulgating a holistic set of policies that span the enterprise's mission and business processes, guiding the establishment and maturation of a C-SCRM capability and the implementation of a cohesive set of C-SCRM activities. Lead… (2.3.2. ¶ 6, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • A C-SCRM PMO typically consists of C-SCRM SMEs who help drive the C-SCRM strategy and implementation across the enterprise and its mission and business processes. A C-SCRM PMO may include or report to a dedicated executive-level official responsible and accountable for overseeing C-SCRM activities a… (2.3.5. ¶ 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Level 2 roles include representatives of each mission and business process, such as program managers, research and development, and acquisitions/procurement. Level 2 C-SCRM activities address C-SCRM within the context of the enterprise's mission and business process. Specific strategies, policies, a… (2.3.3. ¶ 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Members of the C-SCRM team should be a diverse group of people involved in the various aspects of the enterprise's critical processes, such as information security, procurement, enterprise risk management, engineering, software development, IT, legal, and HR. To aid in C-SCRM, these individuals shou… (2.3.1. ¶ 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and (PM-29a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Identify and assign individuals to specific roles associated with the execution of the Risk Management Framework. (T0929, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Roles and responsibilities (e.g., public relations) for communicating data processing purposes, practices, and associated privacy risks are established. (CM.PO-P2, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Identify and assign individuals to specific roles associated with the execution of the Risk Management Framework. (T0929, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. (SR-2(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and (PM-29a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish a supply chain risk management team consisting of [Assignment: organization-defined personnel, roles, and responsibilities] to lead and support the following SCRM activities: [Assignment: organization-defined supply chain risk management activities]. (SR-2(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and (PM-29a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The responsibilities of managing risks are shared throughout the Agency from the highest levels of executive leadership to the service delivery staff executing Federal programs. Industry best practices suggest risk management functions generally have the following characteristics: (Section II (A) ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • To build the secure and resilient future we want, we must shape market forces to place responsibility on those within digital ecosystem that are best positioned to reduce risk. We will shift the consequences of poor cybersecurity away from the most vulnerable, making our digital ecosystem more worth… (PILLAR THREE ¶ 1, National Cybersecurity Strategy)
  • The Federal government will continue to enhance coordination between CISA and other SRMAs, invest in the development of SRMA capabilities, and otherwise enable SRMAs to proactively respond to the needs of critical infrastructure owners and operators in their sectors. The Federal Government will coll… (STRATEGIC OBJECTIVE 1.2 ¶ 3, National Cybersecurity Strategy)