GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced


[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Document risk management roles and responsibilities in policy

Ex2: Document who is responsible and accountable for cybersecurity risk management activities and how those teams and individuals are to be consulted and informed

Ex3: Include cybersecurity responsibilities and performance requirements in personnel descriptions

Ex4: Document performance goals for personnel with cybersecurity risk management responsibilities, and periodically measure performance to identify areas for improvement

Ex5: Clearly articulate cybersecurity responsibilities within operations, risk functions, and internal audit functions