The board's role isoversight, not direct execution. Upon learning of cyberthreats, the appropriate governance response is toengage executive leadership (e.g., the CIO) to evaluate the riskand report back with an impact assessment and potential responses.
This enables the board to make informed decisions and ensures the matter is handled within the appropriate executive management structure.
[Reference:, CGEIT Review Manual: Domain 1 – Governance of Enterprise IT: "Boards should assign evaluation and reporting responsibilities to management while ensuring accountability is maintained at the executive level.", COBIT 2019: Governance Objective EDM03 (Ensure Risk Optimization) – emphasizes delegation and structured risk evaluation by executives., , , , ]
Submit