The cybersecurity program strategy defines the structure and organisation of the cybersecurity program
Context and Guidance: The program strategy should contain an organisation chart or some other descriptive document which includes the cybersecurity program’s structure, the roles in the program, and key activities associated with those roles. For example, a table could be used to describe departments (such as Security Operations Center), subfunctions within departments (such as vulnerability management), activities of the subfunction (such as scanning for, analysing, and addressing vulnerabilities), and, if applicable, any organisation that the subfunction is contracted out to (such as Corporate IT).
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: PROGRAM-1a, PROGRAM-1b, PROGRAM-1c, PROGRAM-1d, PROGRAM-1e, PROGRAM-1f, PROGRAM-1g, PROGRAM-1h.