What is Roles and Responsibilities GV.RR?

Cybersecurity roles and responsibilities are coordinated and aligned with all internal and external stakeholders to enable accountability, performance assessment, and continuous improvement (formerly ID.GV-2)

GV.RR-01:

Organizational leadership takes responsibility for decisions associated with cybersecurity risks and establishes a culture that is risk-aware, behaves in an ethical manner, and promotes continuous improvement 

 

GV.RR-02:

Roles and responsibilities related to cybersecurity risk management are established and communicated (formerly ID.GV-2, ID.AM-6, and DE.DP1)  

 

GV.RR-03:

Roles and responsibilities for customers, partners, and other third-party stakeholders are established and communicated (formerly ID.AM-6) 

 

GV.RR-04:

Roles and responsibilities for suppliers are established, documented in contractual language, and communicated (formerly ID.AM-6) 

 

GV.RR-05:

Lines of communication across the organization are established for cybersecurity risks, including supply chain risks

 

GV.RR-06:

Resourcing and authorities for cybersecurity are decided commensurate with risk strategy, roles, and policies

 

GV.RR-07:  

Cybersecurity is included in human resources practices (e.g., training, deprovisioning, personnel screening) (formerly PR.IP-11)