Back

Define the thresholds for escalation in the internal reporting program.


CONTROL ID
14332
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal reporting program., CC ID: 12409

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A regulated institution would typically develop a formalised IT security reporting framework that provides operational information and oversight across the various dimensions of the IT security risk management framework. The framework would incorporate clearly defined reporting and escalation thresh… (¶ 76, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • A clear and timely escalation process should be adopted and communicated to ensure that all noncompliances are raised, reported and eventually escalated to relevant management, and that the compliance function is informed and able to support the escalation. Where appropriate, escalation should be to… (§ 10.1.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Effective escalation and notification procedures should define and describe the events, thresholds, or other types of triggers that are necessary for additional action. Actions would include additional notifications for more recovery staff, messages and status updates to leadership, and notices for … (§ 4.3.3 ¶ 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))