← Frameworks / BCBS 239 / Control Mappings

BCBS 239 Principles for Effective Risk Data Aggregation and Risk Reporting

Basel Committee principles establishing expectations for risk data aggregation and reporting capabilities at global systemically important banks (G-SIBs). 14 principles across 4 domains: overarching governance and infrastructure, risk data aggregation capabilities, risk reporting practices, and supervisory review. Focused on data quality, timeliness, and accuracy rather than cybersecurity controls per se.

Controls: 114

Total Mappings: 170

Publisher: Basel Committee on Banking Supervision (BCBS) Version: 2013

BCBS 239 → SP 800-53 SP 800-53 → BCBS 239 Coverage Analysis

AC (10) AT (2) AU (11) CA (6) CM (8) CP (4) IR (2) MP (4) PL (5) PM (20) PS (3) PT (2) RA (5) SA (9) SC (13) SI (10)

AC Access Control

Control	Name	BCBS 239 References
AC-01	Access Control Policies and Procedures	Principle 11
AC-02	Account Management	Principle 11
AC-03	Access Enforcement	Principle 11
AC-04	Information Flow Enforcement	Principle 11
AC-05	Separation Of Duties	Principle 1
AC-06	Least Privilege	Principle 11
AC-16	Automated Labeling	Principle 11
AC-20	Use Of External Information Systems	Principle 14
AC-21	Information Sharing	Principle 11
AC-22	Publicly Accessible Content	Principle 11

AT Awareness and Training

Control	Name	BCBS 239 References
AT-01	Security Awareness And Training Policy And Procedures	Principle 1
AT-02	Security Awareness	Principle 1

AU Audit and Accountability

Control	Name	BCBS 239 References
AU-01	Audit And Accountability Policy And Procedures	Principle 3
AU-02	Auditable Events	Principle 3Principle 4
AU-03	Content Of Audit Records	Principle 3
AU-04	Audit Storage Capacity	Principle 5
AU-05	Response To Audit Processing Failures	Principle 5
AU-06	Audit Monitoring, Analysis, And Reporting	Principle 10Principle 12Principle 7
AU-07	Audit Reduction And Report Generation	Principle 7Principle 9
AU-08	Time Stamps	Principle 5
AU-10	Non-Repudiation	Principle 3Principle 7
AU-11	Audit Record Retention	Principle 4
AU-12	Audit Record Generation	Principle 4

CA Security Assessment and Authorization

Control	Name	BCBS 239 References
CA-01	Certification, Accreditation, And Security Assessment Policies And Procedures	Principle 1
CA-02	Security Assessments	Principle 12Principle 7Principle 8
CA-03	Information System Connections	Principle 14
CA-05	Plan Of Action And Milestones	Principle 12Principle 13
CA-06	Security Accreditation	Principle 1Principle 12
CA-07	Continuous Monitoring	Principle 10Principle 12Principle 7Principle 8

CM Configuration Management

Control	Name	BCBS 239 References
CM-01	Configuration Management Policy And Procedures	Principle 2
CM-02	Baseline Configuration	Principle 2
CM-03	Configuration Change Control	Principle 6
CM-04	Monitoring Configuration Changes	Principle 6
CM-08	Information System Component Inventory	Principle 2Principle 4
CM-09	Configuration Management Plan	Principle 6
CM-12	Information Location	Principle 2Principle 4
CM-13	Data Action Mapping	Principle 2Principle 4

CP Contingency Planning

Control	Name	BCBS 239 References
CP-02	Contingency Plan	Principle 2Principle 5Principle 6
CP-07	Alternate Processing Site	Principle 2Principle 5
CP-08	Telecommunications Services	Principle 2Principle 5
CP-10	Information System Recovery And Reconstitution	Principle 5

IR Incident Response

Control	Name	BCBS 239 References
IR-04	Incident Handling	Principle 6
IR-08	Incident Response Plan	Principle 13

MP Media Protection

Control	Name	BCBS 239 References
MP-02	Media Access	Principle 11
MP-03	Media Labeling	Principle 11
MP-04	Media Storage	Principle 11
MP-05	Media Transport	Principle 11

PL Planning

Control	Name	BCBS 239 References
PL-01	Security Planning Policy And Procedures	Principle 1
PL-02	System Security Plan	Principle 1Principle 8Principle 9
PL-04	Rules Of Behavior	Principle 1
PL-08	Security and Privacy Architectures	Principle 2Principle 6
PL-09	Central Management	Principle 1

PM Program Management

Control	Name	BCBS 239 References
PM-01	Information Security Program Plan	Principle 1
PM-02	Information Security Program Leadership Role	Principle 1
PM-03	Information Security and Privacy Resources	Principle 1
PM-04	Plan of Action and Milestones Process	Principle 13
PM-05	System Inventory	Principle 4Principle 8
PM-06	Measures of Performance	Principle 12
PM-07	Enterprise Architecture	Principle 2Principle 6
PM-09	Risk Management Strategy	Principle 1Principle 12Principle 13Principle 5Principle 8Principle 9
PM-10	Authorization Process	Principle 1Principle 12Principle 13
PM-11	Mission and Business Process Definition	Principle 3Principle 4Principle 8
PM-12	Insider Threat Program	Principle 11
PM-13	Security and Privacy Workforce	Principle 1
PM-14	Testing, Training, and Monitoring	Principle 1Principle 10
PM-15	Security and Privacy Groups and Associations	Principle 14
PM-16	Threat Awareness Program	Principle 14
PM-18	Privacy Program Plan	Principle 6
PM-28	Risk Framing	Principle 1
PM-29	Risk Management Program Leadership Roles	Principle 1
PM-30	Supply Chain Risk Management Strategy	Principle 1
PM-31	Continuous Monitoring Strategy	Principle 1Principle 10

PS Personnel Security

Control	Name	BCBS 239 References
PS-01	Personnel Security Policy And Procedures	Principle 1
PS-02	Position Categorization	Principle 1
PS-07	Third-Party Personnel Security	Principle 1

PT Personally Identifiable Information Processing and Transparency

Control	Name	BCBS 239 References
PT-03	Personally Identifiable Information Processing Purposes	Principle 4
PT-05	Privacy Notice	Principle 11

RA Risk Assessment

Control	Name	BCBS 239 References
RA-01	Risk Assessment Policy And Procedures	Principle 1
RA-02	Security Categorization	Principle 4Principle 8
RA-03	Risk Assessment	Principle 1Principle 6Principle 8
RA-07	Risk Response	Principle 13Principle 6
RA-09	Criticality Analysis	Principle 4Principle 8

SA System and Services Acquisition

Control	Name	BCBS 239 References
SA-03	Life Cycle Support	Principle 2Principle 6
SA-04	Acquisitions	Principle 4
SA-05	Information System Documentation	Principle 2
SA-08	Security Engineering Principles	Principle 2Principle 6
SA-09	External Information System Services	Principle 14
SA-10	Developer Configuration Management	Principle 3
SA-11	Developer Security Testing	Principle 3Principle 7
SA-15	Development Process, Standards, and Tools	Principle 6
SA-17	Developer Security and Privacy Architecture and Design	Principle 2Principle 6

SC System and Communications Protection

Control	Name	BCBS 239 References
SC-02	Application Partitioning	Principle 2
SC-03	Security Function Isolation	Principle 2
SC-04	Information Remnance	Principle 2
SC-05	Denial Of Service Protection	Principle 5
SC-06	Resource Priority	Principle 5
SC-07	Boundary Protection	Principle 2
SC-08	Transmission Integrity	Principle 11Principle 3
SC-10	Network Disconnect	Principle 5
SC-13	Use Of Cryptography	Principle 11Principle 3
SC-16	Transmission Of Security Parameters	Principle 3Principle 7
SC-22	Architecture And Provisioning For Name / Address Resolution Service	Principle 2
SC-24	Fail in Known State	Principle 5
SC-28	Protection of Information at Rest	Principle 2Principle 3

SI System and Information Integrity

Control	Name	BCBS 239 References
SI-01	System And Information Integrity Policy And Procedures	Principle 3
SI-04	Information System Monitoring Tools And Techniques	Principle 10
SI-06	Security Functionality Verification	Principle 3Principle 7
SI-07	Software And Information Integrity	Principle 3Principle 7
SI-10	Information Accuracy, Completeness, Validity, And Authenticity	Principle 3Principle 7
SI-11	Error Handling	Principle 3Principle 7Principle 9
SI-12	Information Output Handling And Retention	Principle 2Principle 4
SI-13	Predictable Failure Prevention	Principle 5
SI-15	Information Output Filtering	Principle 3Principle 7Principle 9
SI-17	Fail-safe Procedures	Principle 5