The cybersecurity program strategy is updated periodically and according to defined triggers, such as business changes, changes in the operating environment, and changes in the threat profile (THREAT-2e)

The organization should have a documented process to ensure that certain types of changes trigger an update of the cybersecurity program strategy. An example of a business change that would necessitate an update would be a change in the business that increases its exposure to cyber events, such as entering a new line of business. An example of a change in the operating environment that might necessitate an update would be the acquisition of a new customer management system that uses sensitive information. An example of a change in the threat profile of a utility company that might necessitate an update would be threat reporting that indicates increased cyber-attack activity targeting utilities.

Related Practices · Dependency: Implementing this practice depends upon prior implementation of THREAT-2e. · Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: PROGRAM-1a, PROGRAM-1b, PROGRAM-1c, PROGRAM-1d, PROGRAM-1e, PROGRAM-1f, PROGRAM-1g, PROGRAM-1h.