Docs

# Govern

# Overview

GOVERN (GV): The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored

# Organizational Context (GV.OC)

The circumstances — mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements — surrounding the organization’s cybersecurity risk management decisions are understood

  • GV.OC-01: The organizational mission is understood and informs cybersecurity risk management

    • Ex1:  Share the organization’s mission (e.g., through vision and mission statements, marketing, and service strategies) to provide a basis for identifying risks that may impede that mission

  • GV.OC-02: Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered

    • Ex1:  Identify relevant internal stakeholders and their cybersecurity-related expectations (e.g., performance and risk expectations of officers, directors, and advisors; cultural expectations of employees)
    • Ex2:  Identify relevant external stakeholders and their cybersecurity-related expectations (e.g., privacy expectations of customers, business expectations of partnerships, compliance expectations of regulators, ethics expectations of society)

  • GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity — including privacy and civil liberties obligations — are understood and managed`

    • Ex1:  Determine a process to track and manage legal and regulatory requirements regarding protection of individuals’ information (e.g., Health Insurance Portability and Accountability Act, California Consumer Privacy Act, General Data Protection Regulation)
    • Ex2:  Determine a process to track and manage contractual requirements for cybersecurity management of supplier, customer, and partner information
    • Ex3:  Align the organization’s cybersecurity strategy with legal, regulatory, and contractual requirements

  • GV.OC-04: Critical objectives, capabilities, and services that stakeholders depend on or expect from the organization are understood and communicated`

    • Ex1:  Establish criteria for determining the criticality of capabilities and services as viewed by internal and external stakeholders
    • Ex2:  Determine (e.g., from a business impact analysis) assets and business operations that are vital to achieving mission objectives and the potential impact of a loss (or partial loss) of such operations
    • Ex3:  Establish and communicate resilience objectives (e.g., recovery time objectives) for delivering critical capabilities and services in various operating states (e.g., under attack, during recovery, normal operation)

  • GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated

    • Ex1:  Create an inventory of the organization’s dependencies on external resources (e.g., facilities, cloud-based hosting providers) and their relationships to organizational assets and business functions
    • Ex2:  Identify and document external dependencies that are potential points of failure for the organization’s critical capabilities and services, and share that information with appropriate personnel

# Risk Management Strategy (GV.RM)

  • GV.RM-01: Risk management objectives are established and agreed to by organizational stakeholders
    • Ex1:  Update near-term and long-term cybersecurity risk management objectives as part of annual strategic planning and when major changes occur
    • Ex2:  Establish measurable objectives for cybersecurity risk management (e.g., manage the quality of user training, ensure adequate risk protection for industrial control systems)
    • Ex3:  Senior leaders agree about cybersecurity objectives and use them for measuring and managing risk and performance
  • GV.RM-02: Risk appetite and risk tolerance statements are established, communicated, and maintained
  • GV.RM-03: Cybersecurity risk management activities and outcomes are included in enterprise risk management processes
  • GV.RM-04: Strategic direction that describes appropriate risk response options is established and communicated
  • GV.RM-05: Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties
  • GV.RM-06: A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated
  • GV.RM-07: Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions

# Roles, Responsibilities, and Authorities (GV.RR)

  • GV.RR-01: Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving
  • GV.RR-02: Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced
  • GV.RR-03: Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies
  • GV.RR-04: Cybersecurity is included in human resources practices

# Policy (GV.PO)

  • GV.PO-01: Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced
  • GV.PO-02: Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission

# Oversight (GV.OV)

  • GV.OV-01: Cybersecurity risk management strategy outcomes are reviewed to inform and adjust strategy and direction
  • GV.OV-02: The cybersecurity risk management strategy is reviewed and adjusted to ensure coverage of organizational requirements and risks
  • GV.OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments needed

# Cybersecurity Supply Chain Risk Management (GV.SC)

  • GV.SC-01: A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders
  • GV.SC-02: Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally
  • GV.SC-03: Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes
  • GV.SC-04: Suppliers are known and prioritized by criticality
  • GV.SC-05: Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties
  • GV.SC-06: Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships
  • GV.SC-07: The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship
  • GV.SC-08: Relevant suppliers and other third parties are included in incident planning, response, and recovery activities
  • GV.SC-09: Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle
  • GV.SC-10: Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement

© Copyright . All rights reserved.