The cybersecurity program strategy defines the organisation’s approach to provide program oversight and governance for cybersecurity activities
Context and Guidance: Governance is a process of providing strategic direction for the organisation while ensuring that it meets its obligations, appropriately manages risk, and efficiently uses finances and human resources to ensure that the cybersecurity program supports and sustains strategic objectives. Governance is focused on providing oversight of the cybersecurity program, not performing or managing process tasks to completion. For example, the process of overseeing the identification, definition, and inventorying of high-value assets is a governance task, while performing these tasks is part of asset management. Program oversight and governance might be achieved through • a formal cybersecurity oversight committee • establishing C2M2 as standard for cybersecurity program evaluation • identifying and documenting the areas of the organisation and the assets that are within the purview of the cybersecurity program and those that are not • identifying whether data governance and data protection are to be managed as part of the cybersecurity program or separately
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: PROGRAM-1a, PROGRAM-1b, PROGRAM-1c, PROGRAM-1d, PROGRAM-1e, PROGRAM-1f, PROGRAM-1g, PROGRAM-1h.