(3)Roles, Responsibilities, and Authorities角色、职责和授权(GV.RR):
Cybersecurity roles, responsibilities, and authorities to foster accountability, performance assessment, and continuous improvement are established and communicated
建立和沟通网络安全角色、职责和授权,以促进可问责性、绩效评估和持续改进
GV.RR-01:
Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
组织领导层对网络安全风险负责,并培养一种风险意识、合乎伦理和持续改进的文化
- Ex1: Leaders (e.g., directors) agree on their roles and responsibilities in developing, implementing, and assessing the organization’s cybersecurity strategy
领导者们(如董事)就其在拟定、实施和评估组织网络安全战略中的角色和责任达成一致 - Ex2: Share leaders’ expectations regarding a secure and ethical culture, especially when current events present the opportunity to highlight positive or negative examples of cybersecurity risk management
分享领导者对安全和道德文化的期望,特别是在当前事件提供了突出的网络安全风险管理的积极或消极例子的机会时 - Ex3: Leaders direct the CISO to maintain a comprehensive cybersecurity risk strategy and review and update it at least annually and after major events
领导者指示首席信息安全官维持一个全面的网络安全风险战略,并至少每年一次和在重大事件发生后审查和更新 - Ex4: Conduct reviews to ensure adequate authority and coordination among those responsible for managing cybersecurity risk
实施评审,以确保负责管理网络安全风险的人员获得适当的授权和配合
♠检查落实
❈文件和台账
- 组织结构
- 网络安全工作描述
- 网络安全人员绩效评估
- 网络安全策略
❈预期结果
- 定义了直接向董事会或高级领导报告的信息安全负责人角色如CISO
- 组织结构和正式的指派和授权,正式、显式描述负责网络安全风险管理的人员、角色和责任
- 意识计划和执行记录,能体现出领导者对安全和道德文化的期望,以及有效的沟通了这种期望
- CISO至少每年或在重大变化发生后向高级领导层报告一份全面的网络安全风险战略
- 进行年度或频度更高的绩效评估,以确保关键网络安全角色得到足够的授权和配合
- 管理评审或网络安全会议的有关章程和记录,包括要求负责网络安全战略的高级管理人员展示其有效性/实施情况的章程和会议记录
GV.RR-02:
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
建立、沟通、理解和落实与网络安全风险管理相关的角色、职责和授权
- Ex1: document risk management roles and responsibilities in policy
在政策中正式的记录风险管理的角色和职责 - Ex2: document who is responsible and accountable for cybersecurity risk management activities and how those teams and individuals are to be consulted and informed
正式记录谁负责网络安全风险管理活动,以及如何咨询和通知这些团队和个人 - Ex3: Include cybersecurity responsibilities and performance requirements in personnel descriptions
在人员描述中包括网络安全职责和绩效要求 - Ex4: document performance goals for personnel with cybersecurity risk management responsibilities, and periodically measure performance to identify areas for improvement
正式记录网络安全风险管理人员的绩效目标,并定期测量绩效以确定需要改进的领域 - Ex5: Clearly articulate cybersecurity responsibilities within operations, risk functions, and internal audit functions
清楚地阐明运营、风险职能和内部审计职能部门的网络安全责任
♠检查落实
❈文件和台账
- 网络安全策略
- 组织结构
- 网络安全工作描述
- 网络安全人员绩效评估
- 雇佣合同和协议
- 风险管理计划
❈预期结果
- 网络安全责任分别落实到运营、风险职能和内部审计职能部门
- 职位描述中定义了网络安全风险相关职责和绩效要求
- 绩效评估包括可衡量的绩效目标,并定期跟踪和报告
- 定义监视和报告可疑系统活动的责任,包括与之相匹配的报告途径、对报告进行响应的角色和责任
GV.RR-03:
Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies
拨付与网络安全风险战略、角色、责任和政策相称的充足资源
- Ex1: Conduct periodic management reviews to ensure that those given cybersecurity risk management responsibilities have the necessary authority
定期进行管理评审,以确保那些被分配了网络安全风险管理职责的人拥有必要的授权 - Ex2: Identify resource allocation and investment in line with risk tolerance and response
确定符合风险承受能力和应对能力的资源拨付和投资 - Ex3: Provide adequate and sufficient people, process, and technical resources to support the cybersecurity strategy
提供充分的和足量的人员、过程和技术资源来支持网络安全战略
♠检查落实
❈文件和台账
- 网络安全策略
- 组织结构
- 网络安全工作描述
- 网络安全预算
- 网络安全培训
❈预期结果
- 网络安全工作人员拥有与职责相称的能力和授权
- 网络安全人员(包括第三方)数量充足,并拥有支持网络安全战略的技术资源和培训
- 网络安全预算符合风险承受能力,足以满足组织的规模和复杂性
GV.RR-04:
Cybersecurity is included in human resources practices
网络安全被纳入人力资源实践
- Ex1: Integrate cybersecurity risk management considerations into human resources processes (e.g., personnel screening, onboarding, change notification, offboarding)
将网络安全风险管理关注事项整合到人力资源流程中(如人员甄选、入职、变更通知、离职) - Ex2: Consider cybersecurity knowledge to be a positive factor in hiring, training, and retention decisions
将网络安全知识视为招聘、培训和留用决策的积极因素 - Ex3: Conduct background checks prior to onboarding new personnel for sensitive roles, and periodically repeat background checks for personnel with such roles
在新入职人员担任敏感职位前进行背景调查,并定期对具有此类职位的人员进行背景调查 - Ex4: Define and enforce obligations for personnel to be aware of, adhere to, and uphold security policies as they relate to their roles
定义并强制人员了解、遵守和维护与其角色相关的安全政策的义务
♠检查落实
❈文件和台账
- 入职/离职/转岗流程
- 可接受的使用策略
- 网络安全培训
❈预期结果
- 确定网络安全要求体现在人力资源实践
- 招聘程序包括背景调查/筛选。
- 对于能够接触到敏感系统或信息的候选人,招聘程序与较高的风险水平相称
- 网络安全意识、能力和绩效与个人发展挂钩
- 员工被要求在被雇佣时和此后定期阅读并同意组织的可接受的使用政策
- 策略定义了何时禁用或修改访问权