What Is a Comprehensive Security Program?
A Comprehensive Security Program is an organization-wide initiative designed to protect all assets, physical, information and personnel, from threats. It integrates policies, procedures, technical controls, training and governance to manage security risks holistically.
The term “comprehensive” is subjective, since there are different levels of expectation based on industry and organization size. What might be considered comprehensive for a smaller organization would be lacking for a larger organization.
To help ensure applicability, the Integrated Controls Management, a model that emphasizes that controls are the central pivot in cybersecurity and data privacy programs, provides eight (8) steps to create and maintain a comprehensive cybersecurity program:
- Establish Context;
- Define Applicable Controls;
- Assign Maturity-Based Criteria;
- Publish Policies, Standards & Procedures;
- Assign Stakeholder Accountability;
- Maintain Situational Awareness;
- Manage Risk; and
- Evolve Processes.
The ICM is a “how to build a cybersecurity program” playbook. ICM is designed to proactively address the strategic, operational and tactical nature of operating an organization’s cybersecurity and privacy program at the control level. The ICM is designed to:
- Address both internal controls, as well as the broader concept of Supply Chain Risk Management (SCRM).
- Focus on the need to understand and clarify the difference between "compliant" versus "secure" since that is necessary to have coherent risk management discussions.