CyMetric promotes collaboration and accountability as it relates to the management of cybersecurity compliance programs. One of the key elements for success in any cybersecurity program is a cross functional view of risk and operational efficiency. The goal of a cyber program is to balance the ability to effectively execute on the organization mission while maintaining adequate protections and security to the environment that is aligned with the risk tolerances of the organization. The risk profile and tolerances of an organization are ideally derived from a cross functional, cross-departmental team of organizational leaders who share in the definition and modeling of the cyber program. The Governance Team works together to align the mission of the organization to the risk it is willing to absorb or the protections it feels it needs to have in place to operate securely and efficiently. Price Waterhouse Coopers defines cyber governance "a strategic view of how an organization controls its security, including defining its risk appetite, building accountability frameworks, and establishing who is responsible for making decisions." Having a cross-organization entity define strategy, communicate risk, set standards, and support the execution of the overall program is essential for the success of the program and the cultural adaptation a cyber program asks of the organization. The Governance Team may not be responsible for the day to day tactical execution of the program but are responsible for the strategy behind it as well as the communication to stakeholders on its progress.

Tactically, CyMetric enables the definition of people, committees, vendors or partners who will be responsible for various parts of the regulatory compliance management process. Below are some questions to ask as you get started:

1. Who is responsible for the data that resides in each of the information systems you will be entering into CyMetric (business owner)? This can vary by information system.

2. Who is responsible for the technical management (uptime, performance, etc.) of the information systems you will be entering into CyMetric (technical owner)? This can vary by information system.

3. Who will be responsible for the implementation of compliance controls and ensuring they are working to meet objectives (implementation owner)? This can vary by information system, control family or other subject matter expertise.

4. Who will approve the compliance program policy documents (Program Policy and Control Family Policies) provided by CyMetric?

All of the entities you have identified by the questions above should be entered into the system so they can be assigned responsibility or functions within CyMetric.
​

The specific data types that reside within your network and information systems drive the behavior organizations need to adhere to in order to be compliant with regulations. It is therefore critical to understand what data types your company may capture and retain and the corresponding systems the information may reside in that is subject to regulatory scrutiny.  The classifications assigned can always be changed to reflect a change in the thought process for the assignments.

1. What information systems does your company have and manage as a part of your day to day operations (this can be on premises or cloud based systems)? An information system can be defined as a system that is tasked with a certain business functions generally bound by a security perimeter or boundary. A system may span several physical servers but has discreet controls or security parameters that are specific to that system. CyMetric supports inventorying both logical and physical systems (servers, routers, switches, IoT devices, etc.).

​2. What type of data is contained within your information systems?The same data types may be found in multiple information systems. Generally, the more granular you are with your data types, the better you will be able to respond to a security incident. However, considering "macro" data types that contain a number of individual data types can also be considered so long as this is documented effectively.

3. How would you classify your data in terms of its value to your organization in the following contexts:

a. Confidentiality: What would be the impact to your organization (High impact, moderate impact or low impact) if there was unauthorized access or an external breach of the data type? For example, if your company’s Human Resources System was breached by an unauthorized actor, how would that impact your business?  Each data type will need to be considered in this context. The impact will vary by information type.

b. Integrity: What would be the impact to your organization (High impact, moderate impact or low impact) if the integrity or accuracy of the data was compromised in any way? For example, if your organization stores financial account numbers, if those account numbers were changed, modified or otherwise altered, how would it impact your business? Each data type will need to be considered in this context. The impact will vary by information type.

c. Availability: What would be the impact to your organization (High impact, moderate impact or low impact) if the data was rendered unavailable to your organization? For example, if your Enterprise Resource Planning System became unavailable (e.g. server crash, held ransom, etc.), how would it impact your business? Each data type will need to be considered in this context. The impact will vary by information type.

This data classification can be a challenge as you begin to work with CyMetric. The classification should not be made in a vacuum but should have multiple perspectives to ensure a realistic classification can be made. Please keep in mind that these classifications can be changed as perspectives change or supplemental input is provided regarding the classifications.