All of the risk assessments, vulnerability scans, and monitoring results need to be packaged up and presented to your Board of Directors at least annually. If you don’t have a board of directors it must go to the highest level of management or ownership. This document must be very thorough, and represents a significant effort.
Require your Qualified Individual to report in writing, regularly and at least annually, to your board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a senior officer responsible for your information security program. The report shall include the following information:
(1) The overall status of the information security program and your compliance with this part; and
(2) Material matters related to the information security program, addressing issues such as risk assessment, risk management and control decisions, service provider arrangements, results of testing, security events or violations and management's responses thereto, and recommendations for changes in the information security program.
Security Studio's robust risk assessment platform empowers you to generate your annual report anytime, with a click.