Cybersecurity and Data Protection Management
Cybersecurity & Data Privacy Principles: Execute a documented, risk-based program that supports business objectives while encompassing appropriate cybersecurity & data protection principles that addresses applicable statutory, regulatory and contractual obligations.
Principle Intent: Organizations specify the development of an organization’s cybersecurity & data protection program, including criteria to measure success, to ensure ongoing leadership engagement and risk management.
Click a template document title below to download and begin customizing. Recommendation: ask the CIC Assistant to help you fill in your template sections and then enter personal information for your business from the privacy of your own device.
Documented evidence of a corporate-level (C-Level) organization and resourcing for a cybersecurity & data protection governance program.
Charter – Privacy Program
Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of privacy management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.
Charter – Cybersecurity Steering Committee
Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of cybersecurity management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.
Charter – Privacy Steering Committee
Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of privacy management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.
Charter – Audit Committee
Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of internal and external audit management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.
Charter – Risk Committee
Documented evidence of an executive steering committee, or advisory board, that is formed to perform oversight of risk management decisions and is comprised of key cybersecurity, technology, risk, privacy and business executives.
Charter – Data Management Board (DMB)
Documented evidence of the organization’s Data Management Board (DMB) charter and mission.
Cybersecurity & Data Protection Policies
Documented evidence of an appropriately-scoped cybersecurity & data protection policies. Policies are high-level statements of management intent from an organization’s executive leadership that are designed to influence decisions and guide the organization to achieve the desired outcomes. Policies are enforced by standards and further implemented by procedures to establish actionable and accountable requirements.
Cybersecurity & Data Protection Standards
Documented evidence of an appropriately-scoped cybersecurity & data protection standards. Standards are mandatory requirements regarding processes, actions and configurations. Standards are intended to be granular and prescriptive to ensure systems, applications and processes are designed and operated to include appropriate cybersecurity & data protection protections
Cybersecurity & Data Protection Controls
Documented evidence of an appropriately-scoped cybersecurity & data protection controls. Controls are technical, administrative or physical safeguards. Controls are the nexus used to manage risks through preventing, detecting or lessening the ability of a particular threat from negatively impacting business processes. Controls directly map to standards, since control testing is designed to measure specific aspects of how standards are actually implemented.
Cybersecurity & Data Protection Procedures
Documented evidence of an appropriate appropriately-scoped cybersecurity & data protection procedures. Procedures are a documented set of steps necessary to perform a specific task or process in conformance with an applicable standard. Procedures help address the question of how the organization actually operationalizes a policy, standard or control. The result of a procedure is intended to satisfy a specific control. Procedures are also commonly referred to as “control activities.”
Cybersecurity & Data Protection Policies & Standards Reviews
Documented evidence of a periodic review process for the organization’s cybersecurity & data protection policies and standards to identify necessary updates.
Measures of Performance (Metrics)
Documented evidence of formal measure of performance that are used to track the health of the cybersecurity & data protection program (e.g., metrics, KPIs, KRIs).
Asset Management
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.