Somo 1Mpango: Udhibiti wa Utambulisho, Upatikanaji, na Mamlaka — malengo, wadau, udhibiti unaotekelezwa (SSO, MFA, mamlaka ndogo, PAM), KPIs (akaunti za mamlaka zilizooza, ufikiaji wa MFA)Sehemu hii inafafanua mpango wa utambulisho, upatikanaji, na mamlaka, ikifafanua malengo, wadau muhimu, na udhibiti unaoweza kutekelezwa, huku ikianzisha KPIs za vitendo kufuatilia hatari za upatikanaji, matumizi mabaya ya mamlaka, na ufikiaji wa uthibitisho wa wakati.
Defining initiative scope and business alignmentStakeholder roles across IT, HR, and business unitsSSO and MFA rollout strategy and governanceLeast privilege, RBAC, and PAM control designKPIs for stale accounts and MFA coverageSomo 2Mpango: Usalama wa Wingu na Udhibiti wa Usanidi — malengo, wamiliki, udhibiti wa msingi (CSPM, skana ya IaC, kuimarisha uhifadhi), KPIs (hesabu za upangaji vibaya, wakati-wa-kurekebisha)Sehemu hii inafafanua mpango wa usalama wa wingu na udhibiti wa usanidi, ikifafanua umiliki, udhibiti wa msingi, na zana. Inaeleza jinsi ya kutumia CSPM, skana ya IaC, na viwango vya kuimarisha, na KPIs zinazofuatilia upangaji vibaya na kasi ya marekebisho.
Cloud security ownership and accountability modelBaseline policies for multi-cloud environmentsCSPM deployment and alert tuningIaC scanning in build and deployment stagesKPIs for misconfigs and remediation timeSomo 3Mpango: Maendeleo Salama ya Programu na DevSecOps — malengo, wadau, pointi za kuunganisha CI/CD (SAST, DAST, SCA), KPIs (udhaifu ulioanzishwa kwa kila toleo, wakati-wa-kurekebisha wastani)Sehemu hii inaelezea mpango wa maendeleo salama ya programu na DevSecOps, ikiusawazisha malengo na kasi ya utoaji, kufafanua wadau, kuweka usalama katika CI/CD, na kuchagua KPIs zinazofuatilia mwenendo wa udhaifu, nyakati za kurekebisha, na ubora wa usalama wa mifereji.
Objectives balancing speed and securityRACI for engineering, security, and productSecurity gates in CI/CD pipelinesSAST, DAST, and SCA integration strategyKPIs for defects, MTTR, and release riskSomo 4Mpango: Udhibiti wa Hatari wa Biashara — malengo, wadau, ubuni wa daftari la hatari, vigezo vya kukubali na KPIs (hatari za juu zilizofuatiliwa, viwango vya hatari iliyobaki)Sehemu hii inaweka mfumo wa mpango wa udhibiti wa hatari wa biashara, ikiuunganisha usalama na hatari ya biashara. Inashughulikia malengo, wadau, ubuni wa daftari la hatari, alama, vigezo vya kukubali, na KPIs zinazofuatilia hatari za juu, mwenendo, na viwango vya mfiduo uliobaki.
Aligning cyber risk with enterprise risk appetiteRisk register structure and taxonomyQualitative and quantitative risk scoringRisk acceptance, transfer, and mitigationKPIs for top risks and residual exposureSomo 5Mpango: Kufuata na U tayari wa Ukaguzi (ISO 27001, SOC 2, GDPR) — malengo, wadau, kuunganisha udhibiti, KPIs (matokeo ya ukaguzi, kukomaa kwa udhibiti)Sehemu hii inafafanua mpango wa kufuata na utayari wa ukaguzi (ISO 27001, SOC 2, GDPR) — malengo, wadau, kuunganisha udhibiti, KPIs (matokeo ya ukaguzi, kukomaa kwa udhibiti)
Regulatory and customer requirement mappingControl framework selection and scopingEvidence collection and documentationInternal audits and readiness assessmentsKPIs for findings and control maturitySomo 6Mpango: Ufahamu wa Usalama, Utamaduni, na Uwezeshaji — malengo, wadau, vipengele vya programu, KPIs (asentari ya phishing, kukamilisha mafunzo, ufikiaji wa mabingwa wa usalama)Sehemu hii inaorodhesha mpango wa ufahamu wa usalama, utamaduni, na uwezeshaji, ikifafanua malengo, watazamaji, na umiliki. Inashughulikia vipengele vya programu, mabingwa, kushawishi tabia, na KPIs kama kiwango cha phishing, kukamilisha mafunzo, na ushirikiano.
Program goals and target behaviorsStakeholders in HR, comms, and leadershipTraining formats and content strategySecurity champions and local advocatesKPIs for phishing, training, and cultureSomo 7Mpango: Udhibiti wa Hatari ya Nje na Mnyororo wa Usambazaji — malengo, wadau, cadence ya tathmini, KPIs (alama za hatari za nje, SLAs za marekebisho za mikataba)Sehemu hii inaelezea mpango wa hatari ya nje na mnyororo wa usambazaji, ikifafanua malengo, wamiliki, na cadence ya tathmini. Inaeleza uchunguzi, ufuatiliaji wa mara kwa mara, mikataba, na KPIs kwa alama za hatari za wauzaji na SLAs za marekebisho.
Vendor inventory and criticality tiersPre-contract due diligence and screeningOngoing assessments and monitoringSecurity clauses and remediation SLAsKPIs for vendor risk and closure timeSomo 8Mpango: Majibu ya Tukio na Udhibiti wa Shida — malengo, wadau, playbook, cadence ya meza, KPIs (MTTR, wakati-wa-kutambua, makadirio ya gharama za tukio)Sehemu hii inafafanua mpango wa majibu ya tukio na udhibiti wa shida, ikifafanua malengo, wadau, na utawala. Inashughulikia ubuni wa playbook, cadence ya meza, mawasiliano, na KPIs kama MTTR, wakati wa kutambua, na makadirio ya gharama za tukio.
IR objectives and executive sponsorshipRoles, RACI, and escalation pathsPlaybook development and maintenanceTabletop exercises and lessons learnedKPIs for MTTR, detection, and impact
