Back

Leadership and high level objectives


CONTROL ID
00597
CONTROL TYPE
IT Impact Zone
CLASSIFICATION
IT Impact Zone

SUPPORTING AND SUPPORTED CONTROLS




This is a top level control.

This Control has the following implementation support Control(s):
  • Analyze organizational objectives, functions, and activities., CC ID: 00598
  • Establish and maintain the scope of the organizational compliance framework and Information Assurance controls., CC ID: 01241
  • Define the Information Assurance strategic roles and responsibilities., CC ID: 00608
  • Establish and maintain a strategic plan., CC ID: 12784
  • Establish and maintain a Governance, Risk, and Compliance awareness and training program., CC ID: 06492
  • Establish, implement, and maintain a financial management program, as necessary., CC ID: 13228
  • Establish and maintain communication protocols., CC ID: 12245
  • Establish and maintain an internal reporting program., CC ID: 12409
  • Establish and maintain an external reporting program., CC ID: 12876


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Generally recognized frameworks of risk management and internal controls should be used by the Board of Directors to provide assurance that the organizational objectives are being met for safeguarding the organization's assets, complying with laws and regulations, operating effectively and efficient… (¶ 3.1.4, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • App 2-1 Item Number I.4(3): Information assets must be efficiently and effectively used to achieve management and information strategy objectives. This is a control item that constitutes a relatively small risk to financial information. This is a company-level IT control. App 2-1 Item Number I.4(4):… (App 2-1 Item Number I.4(3), App 2-1 Item Number I.4(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The Board of Directors is responsible for the organization's success and should lead and control the organization effectively. (¶ 1, CODE OF CORPORATE GOVERNANCE 2005)
  • The business environment will always have an overriding effect on the decisions made regarding technology product evaluations. (§ 6.3.11, Information Technology Security Evaluation Manual (ITSEM), Version 1.0)
  • The Management Board and the Supervisory Board must cooperate closely for the benefit of the organization. (¶ 3.1, German Corporate Governance Code ("The Code"), June 6, 2008)
  • (¶ 10, ¶ 11, ¶ 16, Turnbull Guidance on Internal Control, UK FRC, October 2005)
  • The Board of Directors and senior management should create an organizational culture with high levels of ethical standards and adherence to sound operating controls. (¶ 11, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • § 1.4 Asks how security and business interact in determining cyber risk and security, thus pointing out the need for direct interaction between organizational leadership and information management leadership. § 1.8 asks whether the security program is directly aligned with the business objectives… (§ I.4, § I.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Links the need to properly understand the business environment when auditing for Enterprise Resource Planning, Business Process Reengineering, and Business Continuity Planning respectively. (§ 010.010.2.2.1, § 020.130.1.3.4, § 020.150.2.3.6, ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals, May 15, 2009)
  • The continuity practitioner needs to ask two key questions when beginning to define the continuity program - what are the objectives of the organization (and organizational leaders), and how are those objectives achieved? (Stage 1, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The organization must consider significant risks and impacts; legal, regulatory, and other requirements; operational, business, and financial requirements; technology options; and the stakeholders' and other interested parties' views when it establishes and reviews its objectives and targets. (§ 4.3.3 ¶ 3, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Management should commit to and demonstrate support for the information security policy by issuing and maintaining the policy across the entire organization. (§ 5.1.1, ISO 27002 Code of practice for information security management, 2005)
  • The leadership of the organization should demonstrate its commitment to security by their words and actions. (Pg 2, Responsible Care Security Code of Management Practices, American Chemistry Council)
  • The Board of Directors plays a role in the setting of high-level objectives by holding authority for certain key decisions. The organization should establish strategic objectives to support its mission. (Pg 8, Pg 35, Pg 92, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • Management should ensure that the organization is run with high ethical standards and complies with all laws and regulations. (Pg 85, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • The agency head must establish goals to improve the efficiency and effectiveness of the agency's operations and delivery of services to the public through the use of information technology. (§ 5123(1), Clinger-Cohen Act (Information Technology Management Reform Act))
  • The Board of Directors and senior management should develop policies defining how the identified risks will be managed and controlled. (Pg 3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The Management Information System (MIS) should be used to provide data and information to senior management to aid them in making strategic decisions. (Pg 13, FFIEC IT Examination Handbook - Management)
  • (§ 260.06, GAO/PCIE Financial Audit Manual (FAM))
  • The goal of information technology security is to enable an organization to meet all of its mission and business objectives by implementing systems with due care considerations of the organization's risks. (§ 2.0, Underlying Technical Models for Information Technology Security, SP 800-33, December 2001)
  • A senior management council should be formed to ensure senior management involvement. This council should examine management accountability and management commitment to controls and should provide input for correcting deficiencies. (§ I.A, § IV.C, OMB Circular A-123, Management's Responsibility for Internal Control)