Virtual Cyber Security Manager (vCSM)
The Virtual Cyber Security Manager (CSM) is designated by an organization’s Senior Management to manage the Company’s cyber security program. The CSM establishes, documents, and monitors the cyber security program implementation plan, and ensures compliance with Company policies. CSMs must possess a working knowledge of cybersecurity policies and technical cybersecurity protection measures. The CSM may also serves as the Authorizing Officer for all cybersecurity related issues.
Level 1: Program Establishment
Designed for small companies or those that are just starting to establish their cybersecurity goals.
- Develop and maintain an organizational or system-level cybersecurity program that includes cybersecurity architecture, requirements, objectives and policies, cybersecurity personnel, and cybersecurity processes and procedures.
- Ensure that information owners and stewards associated with Company information received, processed, stored, displayed, or transmitted on each IT/IS system are identified in order to establish accountability, access approvals, and special handling requirements.
- Maintain a repository for all organizational or system-level cybersecurity-related documentation.
- Ensure that cybersecurity inspections, tests, and reviews are synchronized and coordinated with affected parties and organizations.
- Monitor compliance with cybersecurity policy, as appropriate, and review the results of such monitoring.
- Ensure implementation of IT/IS security measures and procedures, including reporting incidents to the CIO/AO and appropriate reporting chains and coordinating system-level responses to unauthorized disclosures.
- Ensure that the handling of possible or actual data breach resident in IT/ISs, are conducted thoroughly in accordance Company policies and Regulatory requirements.
- Act as the primary cybersecurity technical advisor to the CIO/CTO/IT Director for IT/IS under their purview.
- Ensure that cybersecurity-related events or configuration changes that may impact IT/IS security posture are formally reported to the CIO/AO and other affected parties, such as information owners and stewards and CIO/AOs of interconnected systems.
- Ensure the secure configuration and approval of IT below the system level (i.e., products and IT services) in accordance with applicable guidance prior to acceptance into or connection.
- Initiate protective or corrective measures when a cybersecurity incident or vulnerability is discovered and ensure that a process is in place for authorized users to report all cybersecurity-related events and potential threats and vulnerabilities.
- Ensure that all IT/IS cybersecurity-related documentation is current and accessible to properly authorized individuals.
Level 2: Program Enhancement
Designed for companies that have started their journey of achieving their cybersecurity goals.
- Maintain an organizational or system-level cybersecurity program that includes cybersecurity architecture, requirements, objectives and policies, cybersecurity personnel, and cybersecurity processes and procedures.
- Act as the primary cybersecurity technical advisor to the CIO/CTO/IT Director for IT/IS under their purview.
- Monitor compliance with cybersecurity policy, as appropriate, and review the results of such monitoring.
- Ensure that cybersecurity inspections, tests, and reviews are synchronized and coordinated with affected parties and organizations.
- Ensure implementation of IT/IS security measures and procedures, including reporting incidents to the CIO/AO and appropriate reporting chains and coordinating system-level responses to unauthorized disclosures.
- Ensure that information owners and stewards associated with Company information received, processed, stored, displayed, or transmitted on each IT/IS system are identified in order to establish accountability, access approvals, and special handling requirements.
- Ensure that the handling of possible or actual data breach resident in IT/ISs, are conducted thoroughly in accordance Company policies and Regulatory requirements.
- Ensure that cybersecurity-related events or configuration changes that may impact IT/IS security posture are formally reported to the CIO/AO and other affected parties, such as information owners and stewards and CIO/AOs of interconnected systems.
- Ensure the secure configuration and approval of IT below the system level (i.e., products and IT services) in accordance with applicable guidance prior to acceptance into or connection.