Cybersecurity
Program Governance
and Strategy
Inadequate
security
controls across
the business
CONTROLS
Definitions
Organisations should establish and
maintain an enterprise cybersecurity
program that provides governance,
strategic planning, and sponsorship for the
organization’s cybersecurity activities in a
manner that aligns cybersecurity
objectives with the organization’s strategic
objectives and the risk to internal
infrastructure.
Limited
budgets
ISO 27001:2013
A.6.1.5
NIST PM
CYBER SECURITY
PROGRAM
MANAGEMENT
SITUATIONAL
AWARENESS
Failure to
identify and
controls risks
inherent to the
organization.
Inability to
identify
common
threats with
industries.
Global
Frameworks
Referenced
RISK
MANAGEMENT
INFORMATION
SHARING
Social
Engineering
AWARENESS
AND TRAINING
Lack of
security
Awareness and
Training
Organisations should establish and
maintain activities and technologies to
collect, analyze, alarm, present, and use
operational and cyber security information
to form a common current state status of
their environment and posture.
NIST SP 800-53,
PCI DSS 12.6,
ISO 27002
16.1.6 & SANS
Organisations should establish,
operate and maintain an enterprise
cyber security risk management
program to identify, analyze, and
mitigate cyber security risk to the
organization.
NIST RA 1,6,
ISO 22301 8.2.3
CNSSI 4009
PCI DSS 5
and SANS
Organisations should establish and
maintain relationships with internal and
external entities to collect and provide
cybersecurity information, including
threats and vulnerabilities, to reduce risks
and to increase operational resilience.
ISO 27002
16.1.2
NIST SI 5
Organizations should continuously provide
adequate awareness, training and education to
employees and partners are to enable them to
perform their information security-related duties
and responsibilities consistent with related
policies, procedures, and agreements.
ISO/IEC
17799:2005
8.2.2
SANS CSC 9-1,5
NIST AT 1,2