As we come to the end of Stage 2 of this framework, you should at this point have a pretty good working plan for your organization’s new cybersecurity program. Before moving onto Stage 3, where you will begin implementing new security controls, you need to draft a Program Charter. The charter is the main organizational document for the cybersecurity program. It serves as the company's pledge to protect the Confidentiality, Integrity, and Availability of all company and customer data. The charter is often published on the company website and distributed around the work environment to remind employees of the high-level cybersecurity program and its application to day-to-day work.

The program charter for your cybersecurity program should be drafted following the structure outlined below.

  1. Scope Statement: Lists each area covered by the cybersecurity program.
  2. Business Purpose: Maps the objectives of the cybersecurity program to business missions and objectives.
  3. Statement of Authority: Denotes the individual in your business who holds the highest level of responsibility for ensuring the effectiveness of the cybersecurity program. If you are the business owner, this could be you. However, you can also denote the Steering Committee as the highest authority for cybersecurity if you feel the program should be more democratic.
  4. Roles & Responsibilities: This section lists the stakeholders who have a responsibility for the success of the cybersecurity program. You should have determined these earlier in Stage 2 and can summarize them here.
  5. Governance Structure & Processes: These are the methods you and your Steering Committee will use to make sure the cybersecurity program stays aligned with your business missions and objectives.
  6. Program Documentation Procedures: This section describes the methods you will use to share security documents and other program information across your internal environment.
  7. Enforcement Mechanisms: Reassures customers and other external entities on how you will ensure regular compliance with your cybersecurity governance, as well as what consequences exist for non-compliance.
  8. Review Process: This is performed regularly to ensure that your cybersecurity program stays up to date and aligned with business objectives. These methods are covered extensively in Stage 4 of this framework, and include a yearly Audit and Gap Analysis, as well as immediate audits after security incidents.
  9. Approval Statement: This final section clearly states the authority under which the program is enacted and supervised. This is usually the business owner, but depending on the organizational structure of your business, it could be a different administrative person.

Once you have completed a program charter, ensure that it is distributed to the necessary parties and locations. It should be provided to each stakeholder in your cybersecurity program, as well as to any IT staff employed in your organization. A copy of the charter should also be published on the company website and any customer portals or sites where cybersecurity reassurances are desired.

Example Charter
Program_Charter_ExDownload