Does leadership actively communicate expectations for a secure and ethical culture, particularly leveraging current events as teaching opportunities?
Explanation
Tone from the top is what's being assessed, namely whether leadership actively communicates expectations for a secure, ethical culture and uses current events as teaching moments. When leaders discuss security incidents in the news or highlight team members demonstrating good security practices, it reinforces that security is a priority and helps employees understand practical applications of security policies.
Evidence could include internal communications (emails, newsletters, town hall recordings) where leadership discusses security incidents or ethical dilemmas from current events, explaining how the organization's values and security practices relate to these situations.
Implementation Example
Share leaders' expectations regarding a secure and ethical culture, especially when current events present the opportunity to highlight positive or negative examples of cybersecurity risk management
ID: GV.RR-01.034
Context
- Function
- GV: GOVERN
- Category
- GV.RR: Roles, Responsibilities, and Authorities
- Sub-Category
- Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
Related questions
- Have organizational leaders formally documented and agreed upon their specific roles and responsibilities for cybersecurity strategy development, implementation, and assessment?
- Does your organization have a comprehensive cybersecurity risk strategy that is reviewed and updated at least annually and after significant security events?
- Does your organization conduct regular reviews to verify that individuals responsible for managing cybersecurity risk have appropriate authority and coordination mechanisms?
- Has your organization documented risk management roles and responsibilities in a formal policy?
- Has your organization formally documented the roles and responsibilities for cybersecurity risk management, including RACI (Responsible, Accountable, Consulted, Informed) designations?
- Are cybersecurity responsibilities and performance requirements explicitly included in job descriptions and personnel documentation?

