The fourth element of IT Governance’s Cyber Resilience Framework includes activities for the board and senior managers to ensure that cyber resilience is overseen and validated from the top of the organisation.
It should cover:
Comprehensive risk management programme
A systematic and ongoing process of identifying, assessing and responding to cyber and information security risks. This is a fundamental competence for any effective cyber security or cyber resilience framework, and will inform how and when the other processes are applied.
Certification to international standards or established cyber security frameworks provides external validation of your organisation’s cyber security and resilience, and can provide assurance to customers and other stakeholders. In some cases, third parties may require compliance audits or validation through a specific scheme.
A programme of regular audits assesses the organisation’s information security controls. The results are assessed as part of a senior management review.
Board-level commitment and involvement
The board endorses, supports and participates in the cyber security strategy, and receives regular updates on security issues, risks and compliance.
Governance structure and processes
The organisation has clear governance structures and defined lines of responsibility and accountability to oversee its cyber security and resilience processes. This might include organising different elements of the framework into functions overseen by an accountable director or governance committee.
Continual improvement process
A process to continually review and improve the organisation’s security measures, and to adapt to the changing threat landscape. This might include adopting well-known improvement models such as PDCA (Plan-Do-Check-Act), ITIL®’s Continual Service Improvement or COBIT®’s continual improvement lifecycle.
The extent to which you implement these measures will depend on your own environment and compliance requirements.