Awareness

Cybersecurity awareness is crucial, as most breaches stem from a lack of it. Effective awareness training requires resources and funding.

Business Architecture

Documenting your capabilities, value streams, and organization structures to align your cyber security program to your business.

Documenting your business architecture helps keep your business and security objectives aligned and prioritized.

Security Strategy

Information security strategy provides direction and priorities for protecting information and operations. It sets the foundation for the overall security program.

An information security strategy defines objectives and sets guardrails for decisions across operations, response, and governance. Strategy helps align controls with business needs, risk tolerance, and known threats. Strategy also guides response and recovery by clarifying roles and ensuring key resources are ready.

Business Security Objectives

What the cyber security program is to accomplish or how it can be made more effective.

Describing your vision and security roadmap helps focus and manage your cyber defense activities.

Security Program Objectives

The specific tasks and projects to develop, sustain, and improve your cyber security program.

Setting and keeping improvement focused on the important assets and risks.

Compliance, Audit, Regulators

Maintaining evidence of the program’s effectiveness. Activities and documentation about the state of the program to show its strengths and areas for improvement. Any legal or regulatory requirements your business must meet.

Compliance ensures adherence to security standards and legal requirements. Audits verify controls and identify gaps for improvement. Regulators set expectations, making compliance essential for risk management and trust.

Funding, Program Management

Information security requires funding, coordination, and oversight to succeed. Addressing how resources are allocated to the program and how delivery is managed across time, scope, and operational needs.

Program management ensures that security It structured, tracked, and aligned with business priorities. This includes budgeting, planning, and assigning responsibility for initiatives, and visibility into progress, risks, and change.

Program Description

The primary parts of the business’s cyber security focus: the technical, administrative, and physical controls and the governance your business needs to develop, communicate, and keep the program effective. The policies, standards, and procedures that are the program.

Developing a structure for the elements of your cyber security program enhances management and effectiveness. They can be maintained as a set of documents or in an online repository, but it should get written.

Controls

The things in place to protect your business.

Controls are the measures used to reduce risk and protect information, systems, and operations. They can be technical, like passwords and firewalls, or procedural, like training and approval steps. Good controls are practical, repeatable, and aligned with the threats a business is likely to face. Choosing the right controls depends on the value of assets and the level of risk that’s acceptable. Effective controls don’t need to be complex. They just need to work and be used consistently.

Data Management

How data is used and protected.

Data is at the core of every modern business. Managing it means knowing what data you collect, where it lives, who accesses it, and how it’s protected. Effective data management ensures that sensitive records are stored securely, backed up, retained appropriately, and shared only with trusted parties, reducing risk and supporting privacy, compliance, and recovery efforts.

Supply Chain

Suppliers and other entities that you interact with.

Third parties introduce additional risk, requiring vetting and continuous monitoring to ensure they meet security standards.

Endpoints & Infrastructure

Endpoints – Typically, the computers you or your team use. Endpoints are critical assets that must be secured to prevent unauthorized access and data breaches.

Infrastructure – Other technology components used in your business.
Infrastructure forms the backbone of the organization’s operations and requires robust protection to ensure availability and resilience.

Information
Risks *

Identifying the risks to the information assets.

Managing the risks to your information assets and developing response plans for potential events dramatically improves your security posture and your capability to get your business back up quickly and inexpensively after an incident.

Information Assets *

The information that your business uses. The crown jewels to consider and protect. The primary focus of information risk management.

Identifying, documenting, managing, and monitoring your information assets is a key step to develop a cyber security program.

* If you do nothing else, at least do something for these two (and malware control).

Core Practices

Core practices are the everyday actions that keep your security program working.

Core practices support and sustain your cybersecurity program. They include things like updating software, managing user access, training staff, and watching for unusual activity. Together they build a strong foundation of protection. Core practices are most effective when they’re simple, consistent, and part of regular operations. Focusing on a few key practices done well can significantly reduce risk over time.

Policy

Developing policies is essential, as they establish clear guidelines and expectations for all stakeholders.

Policies provide direction, support accountability, and help everyone understand their role in keeping the business secure. A good policy is clear, relevant, and easy to follow. Policies also support compliance with legal, contractual, or regulatory requirements. Well-written policies can reduce confusion and guide consistent action.

Physical Security

Building security and policies for handling physical assets.

Protecting your business means more than digital safeguards. Physical security includes locks, alarms, surveillance, and access controls all aimed at keeping your equipment, records, and workspaces safe. Clear policies for handling devices, storage, and facility access help ensure that sensitive information stays protected from theft, damage, or unauthorized use.

Users

The people inside your business who interact with systems and data.

Users play a key role in protecting information. Their actions, intentional or not, can introduce risk or strengthen security. Clear guidance, training, and appropriate access help users make safe choices and reduce mistakes. Users should understand the value of the information they handle and their role in keeping it secure. Supporting users with good tools and clear expectations can make security a part of everyday work.

Customers

The people who trust you with their information and services.

Customers expect their data to be protected and their experience to be reliable. Information security is key to building Digital Trust, the confidence that their information is safe and their interactions are secure. A strong security posture helps prevent breaches that can harm customers and damage your reputation. Being clear about how customer data is handled and protected supports transparency and trust. Businesses can build Digital Trust by showing they take security seriously.

Response

Response includes the actions taken when an incident or disruption occurs. Effective response limits damage, supports recovery, and protects operations.

Planning and rehearsing response actions improves confidence and reduces impact.

Recovery

Recovery focuses on restoring systems, data, and operations after a disruption. A clear recovery plan reduces downtime, limits financial loss, and supports business continuity.

Regular backups, tested procedures, and defined roles strengthen recovery capability.

Threats

Threats include phishing, ransomware, insider risks, weak passwords, unpatched systems, supply chain disruption, insecure access, and data leaks.

Identifying and analyzing your threats focuses defenses and funding.

Vulnerabilities

Vulnerabilities include weak passwords and authentication, unpatched software, lack of cyber security awareness training, misconfigurations, 3rd parties, device theft, and inadequate backups.

Addressing these can prevent financial or data losses, disruptions, and reputational damage.

Risk Management

Risk management is the process of identifying, assessing, and addressing risks to information and operations. It helps prioritize efforts, guide control selection, and align security with business needs.

A simple, repeatable approach supports consistent decisions and continuous improvement.

Governance & Control

Documentation is how the program functions. Find a safe place for a set of documents. Keep it simple to start. Then keep it simple. The level of detail and structure should match the organization’s needs, culture, and appetite.

Clear leadership enables program results.

Change Management

Change management ensures that updates to systems, processes, or technologies are planned, reviewed, and controlled. It reduces the risk of disruption, maintains security, and supports accountability.

Clear procedures and communication align changes with business and security goals.

Metrics, Monitor, & Review

Metrics, monitor, and review involves tracking security activities, assessing control performance, and identifying areas for improvement. It supports accountability, detects issues early, and ensures the program stays effective as the business and threats evolve.

Regular reviews help maintain alignment with risk and compliance needs.