Back

Approve the information security policy at the organization's management level or higher.


CONTROL ID
11737
CONTROL TYPE
Process or Activity
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an information security policy., CC ID: 11740

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should develop formal policies and procedures on data security to safeguard customer data, covering areas on, among others, system controls, physical security controls, mobile computing, and outside service providers. The policies and procedures should be in line with the relevant supervisory gu… (Annex B. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • When formulating or revising regulations that have significant impact on the company-wide (or organization-wide) policy for security measures or implementation, management must give instruction and approval. (C1.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The establishment of the above system must be ordered and approved by management. (C4.1. ¶ 3, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • There should be arrangements for monitoring the information security condition of the organisation, which are documented, agreed with top management and performed regularly. Information generated by monitoring the information security condition of the organization should be used to measure the effec… (Critical components of information security 22) ii., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system's authorising officer. (Security Control: 0047; Revision: 4, Australian Government Information Security Manual, March 2021)
  • Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system's authorising officer. (Control: ISM-0047; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Organisational-level security documentation is approved by the Chief Information Security Officer while system-specific security documentation is approved by the system's authorising officer. (Control: ISM-0047; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Financial institutions should develop and document an information security policy that should define the high-level principles and rules to protect the confidentiality, integrity and availability of financial institutions' and their customers' data and information. For PSPs this policy is identified… (3.4.1 28, Final Report EBA Guidelines on ICT and security risk management)
  • The management level must assume a role model function also when it comes to information security. Among other things, this includes that the management level takes into account all specified security rules, participates in training measures, and supports other managers regarding the execution of th… (§ 4.1(6) ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Obtain the agreement of management (§ 3.2.4 Subsection 4 Bullet 7, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Obtain request from the management to produce a security policy (§ 3.4.5 Subsection 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • If an IS management team already exists within the organisation, then this should be responsible for developing and/or reviewing and re-working the information security policy. The draft document is then submitted to the administration and management, respectively, for approval. (§ 3.4.2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Organise management approval of security policy (§ 3.4.5 Subsection 1 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • As the administration or management has ultimate responsibility for the security policy, the policy should be set down in writing. The document must be formally approved by the administration or management. The content of the security policy should not only be known within the organisation but also … (§ 3.4.4 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Document basic approach of the organisation for checking and improving the information security process in a corresponding policy and present this to the management level for passing (§ 10.3 Subsection 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Revised policies and instructions are approved by committees or bodies of the cloud provider authorised to do so before they become valid. (Section 5.2 SA-02 Basic requirement ¶ 2, Cloud Computing Compliance Controls Catalogue (C5))
  • The regular review is followed up by central bodies at the cloud provider. (Section 5.2 SA-02 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • A security policy with security objectives and strategic parameters for achieving these objectives is documented. The security objectives are derived from the corporate objectives and business processes, relevant laws and regulations as well as the current and future expected threat environment with… (Section 5.1 OIS-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Policies and instructions for information security or related topics derived from the security policy are documented in an uniform structure. They are communicated and made available to all internal and external employees of the cloud provider properly and adequately. Policies are versioned and appr… (Section 5.2 SA-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The management board shall agree an information security policy and communicate this appropriately within the institution. The information security policy shall be in line with the institution's strategies. (II.4.16, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Information security policies and procedures shall be established and made readily available for review by all impacted personnel and external business relationships. Information security policies must be authorized by the organization's business leadership (or other accountable business role or fun… (GRM-06, Cloud Controls Matrix, v3.0)
  • A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. (A.5.1.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Organizations processing health information, including personal health information, shall have a written information security policy that is approved by management, published, and then communicated to all employees and relevant external parties. (§ 5.1.1 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • Management with appropriate authority shall approve an information security policy relevant to the organization. The information security policy shall be documented and take into consideration the service requirements and the obligations in 6.3 c). (§ 8.7.3.1 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties. (§ 5.1.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Information security policy and topic-specific policies should be defined, approved by management, published, communicated to and acknowledged by relevant personnel and relevant interested parties, and reviewed at planned intervals and if significant changes occur. (§ 5.1 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Through its management processes the organization should record the risk owner's acceptance of the residual risk and management approval of the plan. (§ 6.1.3 Guidance ¶ 29, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization maintains a documented cybersecurity policy or policies approved by a designated Cybersecurity Officer (e.g., CISO) or an appropriate governing authority (e.g., the Board or one of its committees). (GV.PL-1.1, CRI Profile, v1.2)
  • Organizational cybersecurity policy is established and has been approved by appropriate governance bodies. (GV.PL-1, CRI Profile, v1.2)
  • The organization maintains a documented cybersecurity policy or policies approved by a designated Cybersecurity Officer (e.g., CISO) or an appropriate governing authority (e.g., the Board or one of its committees). (GV.PL-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Each Member firm should establish and implement a governance framework that supports informed decision making and escalation within the firm to identify and manage information security risks. In implementing an ISSP, each Member must adopt and enforce a written ISSP reasonably designed to provide sa… (Information Security Program Bullet 1 Written Program ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-6, Version 6)
  • Each Responsible Entity shall review and obtain CIP Senior Manager approval at least once every 15 calendar months for one or more documented cyber security policies that collectively address the following topics: [Violation Risk Factor: Medium] [Time Horizon: Operations Planning] (B. R1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Approve the bank holding company's written information security program; and (§ III.A(1), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Determine whether the information security policy is annually reviewed and approved by the board. (App A Objective 6.2, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Annually reviewing and approving a formal, written information security program. (App A Objective 12:7 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, the state, and the Nation; (PM-1 a.4., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Approve the credit union's written information security policy and program; and (§ 748 Appendix A. III.A.1., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; (PM-1a.4., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; (PM-1a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; (PM-1a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; (PM-1a.4., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; (PM-1a.4., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)