Cyber Risk Governance

The organization has published a cyber risk strategy that is aligned with the technology and business strategies.

The organization has an established cyber risk framework (e.g., a complete set of elements including policies, standards, roles and responsibilities, risk management processes, risk taxonomy, risk appetite and emerging threats and technologies) in support of the cyber risk strategy, and ongoing threat, risk and incident management.

The organization conducts regular reviews of the cyber risk strategy and cyber risk framework, to ensure compliance with legal and regulatory requirements.

The organization considers cyber risk compliance requirements, identified risks, current and emerging threats, and potential incident related impacts on operations and services, as inputs to planning and prioritizing cyber risk projects, programs and budgets.

The organization has appointed an executive responsible for the cyber risk strategy, the cyber risk framework and for cyber risk awareness and knowledge at the executive level.

The organization has documented cyber risk policies to explain staff and contractor roles, responsibilities, rules and constraints as well as possible penalties for non-compliance.

The roles and responsibilities of each of the three lines of defence and other stakeholders are clearly described within the cyber risk framework.

Key risk and performance indicators as well as thresholds have been established for the organization's key cyber risk and controls. The risk indicators should align with the cyber risk appetite as stated in the cyber risk framework.

Cyber risks to the organization and its programs or customers are regularly reviewed, prioritized, escalated, explained to the appropriate executives or senior management, and those risks are prioritized for mitigation.

The second line of defence regularly provides an independent review of the various cyber risk assessments and other control activities conducted by the first line of defence.

The organization ensures that background checks have been implemented for personnel/contractors and at third party providers, commensurate with the sensitivity and cyber risk needs of organization assets being managed.

The organization has implemented a formal process for risk acceptance that is measured, tracked and reported.

The organization has allocated sufficient and skilled resources for the sustainment of cyber risk programs, systems, roles and services.

The organization has identified its critical technology assets and has implemented appropriate controls to ensure confidentiality, integrity and availability. The controls are regularly reviewed and tested.