What is a comprehensive security program?

It integrates policies, procedures, technical controls, training and governance to manage security risks holistically.

The term “comprehensive” is subjective, since there are different levels of expectation based on industry and organization size. What might be considered comprehensive for a smaller organization would be lacking for a larger organization.

To help ensure applicability, the Integrated Controls Management, a model that emphasizes that controls are the central pivot in cybersecurity and data privacy programs, provides nine (9) steps to create and maintain a comprehensive cybersecurity program:

• Establish Context;
• Identify Applicable Controls;
• Define Maturity Expectations;
• Publish Governance Documentation;
• Assign Stakeholder Accountability;
• Prioritize Capabilities According To Risk;
• Maintain Situational Awareness;
• Manage Risk; and
• Evolve Processes.

The SCRMS is a “how to build a cybersecurity program” playbook. SCRMS is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. The SCRMS is designed to:

• Address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).
• Focus on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions.