GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
Ex1: Document risk management roles and responsibilities in policy
Ex2: Document who is responsible and accountable for cybersecurity risk management activities and how those teams and individuals are to be consulted and informed
Ex3: Include cybersecurity responsibilities and performance requirements in personnel descriptions
Ex4: Document performance goals for personnel with cybersecurity risk management responsibilities, and periodically measure performance to identify areas for improvement
Ex5: Clearly articulate cybersecurity responsibilities within operations, risk functions, and internal audit functions
Tier
Description
Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced