|
GV.OV: Oversight
|
http://cyfun.data.gift/data/category_GV.OV
|
19 |
|
GV.OV: Oversight
|
http://cyfun.data.gift/data/nist_category_GV_OV
|
5 |
|
GV.PO-01.1: Policies and procedures for managing information and cybersecurity shall be established, documented, reviewed, approved, updated when changes occur, communicated and enforced.
|
http://cyfun.data.gift/data/requirement_GV_PO_01_1
|
21 |
|
GV.PO-01.2: Organisational-wide information and cybersecurity policies and procedures shall include the use of cryptography and, where appropriate, encryption, reflect changes in requirements, threats, technology and organisational roles, and be approved by senior management, who oversee its implementation. This control builds further on GV.PO-01.1 and focuses on the content and oversight of the cyberand information security policies themselves. It ensures that specific technical topics (such as cryptography and encryption) are addressed, policies are responsive to change and Senior leadership is actively involved in approval and oversight. Consider the following elements to be covered: · Define Scope & Objectives Ensure policies apply organisation-wide and align with business and risk priorities. · Include Cryptography & Encryption · Address encryption at-rest/in-transit, key management, and approved algorithms. · Define where encryption is required (e.g., personal data, remote access). · Keep Policies Current Update policies to reflect changes in: · Legal/regulatory requirements · Threat landscape · Technology · Organisational structure · Senior Management Oversight · Require formal approval by senior leadership. · Assign a policy owner (e.g., CISO) to oversee implementation and compliance. · Assign Roles & Responsibilities · Use ENISA ECSF Role Profiles https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework-role-profiles) to: · Define cybersecurity roles (e.g., Policy Officer, Risk Manager) · Align tasks, skills, and competencies · Communicate & Train Disseminate policies and provide role-specific training. · Monitor & Enforce Use technical controls and audits to ensure compliance.
|
http://cyfun.data.gift/data/requirement_GV_PO_01_2
|
15 |
|
GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
|
http://cyfun.data.gift/data/nist_subcategory_GV_PO_01
|
5 |
|
GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
|
http://cyfun.data.gift/data/subcategory_GV.PO-01
|
19 |
|
GV.PO: Policy
|
http://cyfun.data.gift/data/category_GV.PO
|
21 |
|
GV.PO: Policy
|
http://cyfun.data.gift/data/nist_category_GV_PO
|
5 |
|
GV.RM-01.1: Information/cybersecurity objectives shall be identified, agreed to by organisational stakeholders and approved by senior management
|
http://cyfun.data.gift/data/requirement_GV_RM_01_1
|
22 |
|
GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders
|
http://cyfun.data.gift/data/nist_subcategory_GV_RM_01
|
5 |
|
GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders
|
http://cyfun.data.gift/data/subcategory_GV.RM-01
|
15 |
|
GV.RM-02.1: Risk appetite and risk tolerance statements shall be defined, documented, approved by senior management, communicated, and maintained.
|
http://cyfun.data.gift/data/requirement_GV_RM_02_1
|
22 |