Cyber Security GovernanceNovember 2010
Cyber Prep is a conceptual framework, together with a practical methodology, which an organization uses to define and implement its strategy for addressing adversarial threats related to its dependence on cyberspace. In particular, Cyber Prep enables organizations to articulate their strategies for addressing the advanced persistent threat (APT). The Cyber Prep framework defines five levels of organizational preparedness, characterized in terms of The organization's perspective on, and/or assumptions about, the threat it faces; The organization's strategy for addressing the threat, including which adversary tactics, techniques, and procedures (TTPs) it addresses; and The organization's approach to cyber security governance. This white paper presents the governance component of Cyber Prep. As with the component that addresses technical and operational security measures, Cyber Prep expects that organizations apply sound principles for information systems security governance and make effective use of standards of good practice for security management. The cyber security governance component of Cyber Prep focuses on what organizations must do differently from or in addition to generally accepted information security governance practices in order to address the APT. In Cyber Prep, the five levels of organizational preparedness entail different approaches to Strategic integration. To what extent is the cyber security strategy integrated with other organizational strategies? To what extent does the strategy extend beyond the organization? Disciplines. What disciplines are part of, or aligned with, cyber security? Risk mitigation approaches. To what extent does the organization focus on compliance with standards vs. state of the practice security engineering vs. state of the art? Adaptability / agility of cyber decision making. To what extent do governance and decision making address the concern that adversaries may target decision makers and decision processes? Senior engagement. What is the highest level of official or staff member within the organization actively engaged in cyber security decision making? Cyber risk analytics. How are threats modeled and risks contextualized and assessed?