Does your organization have a formal process to ensure personnel are aware of, acknowledge, and comply with security policies relevant to their roles?
Explanation
Policy awareness and accountability are what's under review: whether you have a formal way to ensure personnel know, acknowledge, and follow the security policies tied to their roles. Effective security awareness programs ensure employees understand what security policies apply to them and how they should implement them in their daily work activities.
Evidence could include: signed security policy acknowledgment forms, role-specific security training completion records, security awareness program documentation, or a security policy management system that tracks employee acknowledgments and periodic re-certifications of understanding.
Implementation Example
Define and enforce obligations for personnel to be aware of, adhere to, and uphold security policies as they relate to their roles
ID: GV.RR-04.048
Context
- Function
- GV: GOVERN
- Category
- GV.RR: Roles, Responsibilities, and Authorities
- Sub-Category
- Cybersecurity is included in human resources practices
Related questions
- Have organizational leaders formally documented and agreed upon their specific roles and responsibilities for cybersecurity strategy development, implementation, and assessment?
- Does leadership actively communicate expectations for a secure and ethical culture, particularly leveraging current events as teaching opportunities?
- Does your organization have a comprehensive cybersecurity risk strategy that is reviewed and updated at least annually and after significant security events?
- Does your organization conduct regular reviews to verify that individuals responsible for managing cybersecurity risk have appropriate authority and coordination mechanisms?
- Has your organization documented risk management roles and responsibilities in a formal policy?
- Has your organization formally documented the roles and responsibilities for cybersecurity risk management, including RACI (Responsible, Accountable, Consulted, Informed) designations?

