What is Roles and Responsibilities GV.RR?
Cybersecurity roles and responsibilities are coordinated and aligned with all internal and external stakeholders to enable accountability, performance assessment, and continuous improvement (formerly ID.GV-2)
GV.RR-01:
Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner, and promotes continuous improvement
GV.RR-02:
Roles and responsibilities related to cybersecurity risk management are established and communicated (formerly ID.GV-2, ID.AM-6, and DE.DP1)
GV.RR-03:
Roles and responsibilities for customers, partners, and other third-party stakeholders are established and communicated (formerly ID.AM-6)
GV.RR-04:
Roles and responsibilities for suppliers are established, documented in contractual language, and communicated (formerly ID.AM-6)
GV.RR-05:
Lines of communication across the organization are established for cybersecurity risks, including supply chain risks
GV.RR-06:
Resourcing and authorities for cybersecurity are decided commensurate with risk strategy, roles, and policies
GV.RR-07:
Cybersecurity is included in human resources practices (e.g., training, deprovisioning, personnel screening) (formerly PR.IP-11)