Back

Define the thresholds for reporting in the internal reporting program.


CONTROL ID
14331
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal reporting program., CC ID: 12409

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • A regulated institution would typically develop a formalised IT security reporting framework that provides operational information and oversight across the various dimensions of the IT security risk management framework. The framework would incorporate clearly defined reporting and escalation thresh… (¶ 76, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • appropriate criteria and obligations for reporting are set out; (§ 9.1.7 ¶ 1 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • appropriate criteria for reporting are defined; (§ 9.1.4 ¶ 1 a), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • appropriate criteria for reporting are defined; (§ 9.1.4 ¶ 1 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Effective escalation and notification procedures should define and describe the events, thresholds, or other types of triggers that are necessary for additional action. Actions would include additional notifications for more recovery staff, messages and status updates to leadership, and notices for … (§ 4.3.3 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))