The following descriptions of each Domain will help in deciding who should be assigned as the Curator for each:
Risk Management (RM)
- What it is: RM focuses on strategies, practices, and policies related to cyber risk management. Many of the Assessment Questions probe practices that are common in operational risk management and test the degree to which those practices are applied to the cybersecurity realm. Other Assessment Questions focus on collaboration between risk managers and other functions within the organization.
- Who owns it: Ideally, a Chief Risk Officer or equivalent position. If not, then it should be someone whose role and experience includes risk management.
Asset, Change & Configuration Management (ACM)
- What it is: ACM deals with the processes and policies that guide IT and information asset management. This includes inventorying, configurations, and tracking of any changes. Assessment Questions are designed to test the ability of the organization to maintain a current, fine-grained understanding of IT and information assets. In many cases it crosses over with Risk Management (RM).
- Who owns it: Likely, CIO or equivalent position with a view on IT and information assets.
Identity & Access Management (IAM)
- What it is: IAM tests processes and policies related to the granting of access privileges. Assessment Questions test the rigor of procedures that assign identities, credentials, and access levels. There is significant collaboration among IT, HR, and Risk.
- Who owns it: This function crosses boundaries between HR and IT. Ideally, HR should have a major role, and it will be interesting to test their level of knowledge. However, in many organizations, IT may have more control over this function.
Threat & Vulnerability Management (TVM)
- What it is: TVM deals with processes and procedures for seeking out and addressing cybersecurity threats (external) and vulnerabilities (internal). These are, by definition, technical issues, but also rely heavily on collaborative processes between IT and security teams as well as external entities that provide relevant information.
- Who owns it: This should be owned by the CISO and involve heavy collaboration with the CIO.
Situational Awareness (SA)
- What it is: SA is a broad topic that spans technology efforts to monitor systems and communication efforts focused on informing the workforce. The efficacy of SA is a function of numerous efforts in IT, security, HR, risk management, and others. This is a highly collaborative function that will benefit from high-level oversight.
- Who owns it: Ideally, this is owned by the CISO and supported by the CIO and other executives.
Information Sharing & Communications (ISC)
- What it is: ISC deals with activities around sharing cybersecurity and event data with outside entities. This refers to Information Sharing and Analysis Centers (ISAC), law enforcement, or other firms or agencies that collect and disseminate cybersecurity information.
- Who owns it: CIO, with oversight and collaboration from General Counsel.
Event & Incident Response, Business Continuity (IR)
- What it is: IR is concerned with the development, maintenance, exercise, and dissemination of plans for responding to cybersecurity events. It crosses many other Domains and requires heavy collaboration by IT, security, operations, risk management, human resources, and others.
- Who owns it: COO, or another executive with authority over IT, security, and operations.
External Dependency Management (EDM)
- What it is: EDM is concerned with managing risks related to external entities – partners, vendors, and customers. These relationships can easily be the entry point for cyber criminals, and, as a result, external entities should be rigorously vetted. This domain involves collaboration between procurement, risk, and many others.
- Who owns it: Procurement, or another function with close oversight of vendor and partner relationships.
Workforce Management (WM)
- What it is: WM deals with human resources efforts to recruit, screen, hire, train, test, and maintain a workforce with strong cybersecurity capabilities. This function depends on collaboration with various security functions, risk management, and other departments.
- Who owns it: Head of Human Resources.
Cybersecurity Program Management (CPM)
- What it is: CPM covers executive-level oversight and sponsorship of cybersecurity programs. The goal should be to achieve an organization-wide cybersecurity strategy that is led by senior executives and executed by the workforce in concert.
- Who owns it: C-level executives: CEO, CIO, and CFO.