The fourth element of IT Governance’s Cyber Resilience Framework includes activities for the board and senior managers to ensure that cyber resilience is overseen and validated from the top of the organization.
It should cover:
Comprehensive risk management program
A systematic and ongoing process of identifying, assessing, and responding to cyber and information security risks. This is a fundamental competence for any effective cybersecurity or cyber resilience framework, and will inform how and when the other processes are applied.
Certification to international standards or established cyber security frameworks provides external validation of your organization’s cybersecurity and resilience, and can provide assurance to customers and other stakeholders. In some cases, third parties may require compliance audits or validation through a specific scheme.
A program of regular audits assesses the organization’s information security controls. The results are assessed as part of a senior management review.
Board-level commitment and involvement
The board endorses, supports, and participates in the cybersecurity strategy, and receives regular updates on security issues, risks, and compliance.
Governance structure and processes
The organization has clear governance structures and defined lines of responsibility and accountability to oversee its cybersecurity and resilience processes. This might include organizing different elements of the framework into functions overseen by an accountable director or governance committee.
Continual improvement process
A process to continually review and improve the organization’s security measures, and to adapt to the changing threat landscape. This might include adopting well-known improvement models such as PDCA (Plan-Do-Check-Act), ITIL®’s Continual Service Improvement or COBIT®’s continual improvement lifecycle.
The extent to which you implement these measures will depend on your own environment and compliance requirements.