Free preview: Cybersecurity Governance Policy

Organizational Context

[Company Name] maintains a documented understanding of the business context in which cybersecurity decisions are made. The [Cybersecurity Program Lead] must prepare, and the [Executive Sponsor] must approve, an organizational context statement. The [Cybersecurity Program Lead] must review and update the statement at least annually and within [30] calendar days of any material change to the business, such as a new service line, an acquisition, or a significant new customer or regulatory obligation.

The organizational context statement must address, at minimum, the elements in the table below. Critical dependencies on suppliers and service providers must be managed in accordance with the Cybersecurity Supply Chain Risk Management Policy, and the resulting obligations must feed the risk assessment process defined in the Cyber Risk Management Strategy and Procedure.

Leadership Commitment and Accountability

Executive leadership of [Company Name] is accountable for cybersecurity risk. The [Owner/Chief Executive] must designate in writing a [Cybersecurity Program Lead] with documented authority to implement this policy, and an [Executive Sponsor] who represents cybersecurity at the leadership level. Detailed duties for these and all other roles are defined in the Cybersecurity Roles and Responsibilities policy.

Leadership must demonstrate commitment through specific, verifiable actions:

• Approving this policy and all subordinate cybersecurity policies at least annually, evidenced by recorded name and approval date.
• Allocating an annual cybersecurity budget covering personnel time, tooling, training, and third-party services, approved no later than [30] days before the start of each fiscal year.
• Reviewing the cybersecurity program performance report at each quarterly leadership meeting and recording decisions and action items in meeting minutes.
• Including cybersecurity objectives in the performance goals of managers who own systems or data.

Governance Structure and Oversight Cadence

Cybersecurity governance at [Company Name] is exercised through the bodies and cadence described below. Where headcount does not support a separate committee, the [Executive Sponsor] must ensure the listed responsibilities are performed within existing leadership meetings and documented as a distinct agenda item with its own minutes.

Cybersecurity Policy Framework

This policy is the apex document of the cybersecurity policy framework. Subordinate policies, procedures, plans, and standards must be consistent with this policy; where a conflict exists, this policy prevails and the [Cybersecurity Program Lead] must resolve the conflict within [30] days of identification.

The framework consists of the following documents, each owned by the [Cybersecurity Program Lead] unless ownership is otherwise assigned within the document itself:

• Cybersecurity Roles and Responsibilities
• Cyber Risk Management Strategy and Procedure
• Cybersecurity Supply Chain Risk Management Policy
• Asset Management Policy
• Cybersecurity Improvement Procedure
• Identity and Access Management Policy