GV.RR-02.040
Have you established documented performance goals for personnel with cybersecurity risk management responsibilities and implemented a process to measure their performance against these goals?
Explanation
This question assesses whether your organization has defined clear expectations for staff responsible for cybersecurity risk management and evaluates their performance against these metrics. Establishing measurable goals creates accountability and helps identify skill gaps or areas where additional training or resources may be needed. Regular performance measurement enables continuous improvement in your security posture by ensuring cybersecurity staff are effectively executing their responsibilities. Evidence could include: documented job descriptions with cybersecurity performance metrics, performance review templates specific to security roles, reports showing periodic performance evaluations of security personnel, or improvement plans developed based on performance measurements.
Implementation Example
Document performance goals for personnel with cybersecurity risk management responsibilities, and periodically measure performance to identify areas for improvement
ID: GV.RR-02.040
Context
- Function
- GV: GOVERN
- Category
- GV.RR: Roles, Responsibilities, and Authorities
- Sub-Category
- Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
