Has your organization documented the conditions under which shared responsibility models with third parties are acceptable for cybersecurity functions, financial transactions, and cloud services?
Explanation
Shared responsibility models define which security controls are managed by your organization versus those managed by vendors or partners. Clear documentation helps prevent security gaps where each party assumes the other is responsible for a particular control. This is especially important for outsourced cybersecurity functions, financial transaction processing, and cloud service usage where responsibilities often overlap.
Evidence could include a formal document outlining shared responsibility acceptance criteria, vendor management policies that define security requirements for different types of third-party relationships, or cloud service provider agreements with clearly marked security responsibility matrices.
Implementation Example
Document conditions under which shared responsibility models are acceptable (e.g., outsourcing certain cybersecurity functions, having a third party perform financial transactions on behalf of the organization, using public cloud-based services)
ID: GV.RM-04.023
Context
- Function
- GV: GOVERN
- Category
- GV.RM: Risk Management Strategy
- Sub-Category
- Strategic direction that describes appropriate risk response options is established and communicated
Related questions
- Does your organization update cybersecurity risk management objectives as part of annual strategic planning and when significant organizational or environmental changes occur?
- Has your organization established measurable objectives for cybersecurity risk management?
- Have senior leaders established and agreed upon measurable cybersecurity objectives that are used to manage risk and evaluate performance?
- Has your organization formally defined and communicated risk appetite statements that clearly articulate acceptable levels of risk across different business areas?
- Has your organization translated high-level risk appetite statements into specific, measurable risk tolerance metrics that can be monitored and reported?
- Does your organization have a formal process to periodically review and update its risk appetite and objectives based on current risk exposure and residual risk levels?

