This group should ensure that a cyber and information security strategy and assurance programme are in place and are the responsibility of someone in the business who is at board level or equivalent.
The framework should cover
- Management of all cyber and information security activities.
- Making sure activities are relevant to prevailing and potential risk and timetabled effectively.
- Decisions on the most relevant investment decisions to the organisation.
- Compliance with relevant prevailing legislation and best practice.
- Establishing and cascading a culture of security and safety.
- Measurement against objectives.
It is vital that the framework and strategy are reviewed and, where necessary, updated either periodically (at intervals to be determined in the framework) or as needs arise. This is to allow for changes in business model, company growth, working practices, mergers and acquisitions, technology updates / upgrades, globalisation and, of course, the evolving threat landscape.