Governance

Regulating cybersecurity in an organization via policies and frameworks

Get Started. It's Free
or sign up with your email address
Governance by Mind Map: Governance

1. [Document Lifecyle]

1.1. Scope/Purpose

1.2. Research regulations and best practices

1.3. Draft Document

1.4. Review <-> Approval

1.5. Implementation & Communication

1.6. Review & Update

2. *Directing/Managing system to achieve (compliance) objective *

3. {Processes}

3.1. InfoSec Strategy

3.1.1. Align w/ business objectives

3.2. Policies/Procedures

3.2.1. Re: use and protection of information assets

3.3. Risk management

3.3.1. assess and implement mitigations

3.4. Performance Measurement

3.4.1. Metrics/KPIs

3.5. Assess compliance

3.5.1. Re: regulations & best practices

4. {Frameworks}

4.1. Policies

4.1.1. Statement of goals and principles for achieving target objectives

4.2. Standards

4.2.1. Specific requirements for process/product/service

4.3. Guidelines

4.3.1. Best practices (non-mandatory)

4.4. Procedures

4.4.1. Specific steps for processes

4.5. Baselines

4.5.1. Minimum necessary requirements

5. ./Policy Document

5.1. Identify resource

5.2. Define requirements

5.3. Define usage guidelines

5.4. Define protection guidelines

5.5. Define change management guidelines

5.6. Communicate Policy

5.7. Monitor Effectiveness

6. ./Procedure Document

6.1. Identify process

6.2. Identify or define cases (branching points)

6.3. Define roles and responsibilities

6.4. Detail steps for each case

6.5. Report/record steps and results

6.6. Communicate results

6.7. Identify gaps and update accordingly

7. ./GRC Program

7.1. Scope/objectives

7.2. Risk assessment

7.3. Create policies/procedures

7.4. Establish Governance

7.5. Implement Controls

7.6. Monitor/measure performance

7.7. Feedback & Update

8. ./Discovery+

8.1. Understand Data Flows

8.2. System dependencies

8.3. Potential Vulernabilities

8.4. Map to assets and risks

8.5. Manage access control

8.6. Monitor

9. {NIST 800-53}

9.1. Administrative Controls

9.2. Technical Controls

9.3. Physical Controls

9.4. Strategic Controls

9.5. Necessary Subcontrols

9.5.1. System Inventory

9.5.2. Critical Infrastructure Plan

9.5.3. Authorization Process

9.5.4. Risk Management Strategy

9.5.5. Privacy Program

9.5.6. Data Governance

9.5.7. Data Integrity

9.5.8. Threat Intelligence Automation

9.5.9. InfoSec workforce

9.5.10. Enterprise Architecture

9.5.11. Insider Threat Program