The organisation has a cybersecurity program strategy, which may be developed and managed in an ad hoc manner
Context and Guidance: The organisation develops, implements, and maintains a cybersecurity program strategy that, in its simplest form, includes a list of cybersecurity objectives and related actions, activities, and tasks and a plan to implement them. For a C2M2-based program, areas of activity in the strategy could align with C2M2 domains and objectives. For example, one area of activity would be identifying and responding to cyber risks that affect the function’s assets and services. Further detail would describe how this activity is to be accomplished (again, aligning with C2M2 practices, but providing more details about how the practices are to be implemented in the function, such as use of a particular risk management framework).
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: PROGRAM-1a, PROGRAM-1b, PROGRAM-1c, PROGRAM-1d, PROGRAM-1e, PROGRAM-1f, PROGRAM-1g, PROGRAM-1h.