Ports and Facilities

10/11/2016: Building cybersecurity governance

UPDATE: The below blog post has been edited from it’s originally released version to better organize and communicate the key aspects to cybersecurity governance. The content, however, remains the same with minor edits.

Editor’s note: October is nationally recognized as National Cybersecurity Awareness Month. Throughout the month, Maritime Commons will feature a series of posts detailing cyber risk management in the maritime domain, focusing on governance, resiliency and defending critical infrastructure.


Cyber security governance is a conceptual framework, with a practical methodology, which an organization can use to define and implement its strategy for addressing threats and vulnerabilities related to its cyber-dependent systems. Cyber security governance enables organizations to articulate their strategies within a framework that addresses risk management, including the following:

  • Identifying roles and responsibilities of key cybersecurity personnel
  • Cybersecurity policy
  • Inventory of cyber-dependent systems
  • User awareness and training
  • Organizational resilience


Roles and responsibilities: In general, cybersecurity governance is the set of responsibilities exercised by those responsible for the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that cyber risks are managed appropriately and verifying that resources are used responsibly. The development of a Cyber Risk Management Team (CRMT) is the first step in achieving a solid governance process. The CRMT membership should be a robust mix of various disciplines of the organization to ensure that all equities are represented and addressed. The primary goal of the CRMT is to ensure that all cybersecurity objectives are integrated as part of the core business processes, informing management of security priorities and strategies.

Cybersecurity policy: The CRMT should apply sound cybersecurity governance principles and make effective use of standards of best practice for achieving cybersecurity management. The CRMT tailors and supplements these practices to address a specific environment based on the risks identified. Assessing these risks and providing mitigation strategies is paramount to the successful cybersecurity governance, and this includes crafting cybersecurity policy that concentrates on system user behavior, insider threats, training and awareness and incident reporting procedures.

Inventory of cyber-dependent systems: An inventory of all cyber-dependent systems is crucial to managing a company’s risk assessment. Interconnected IT and OT systems pose a higher risk than those that are segregated or “air-gapped.” This inventory lays a foundation for ascertaining risk appetite and prioritizing the mitigation strategies based on the level of risk. Any cyber dependent system poses some type of risk, and each system must be evaluated for vulnerabilities, and the proper mitigation strategy must be put into place for each.

User awareness and training: The CRMT should also focus on user awareness and training. The rapidly changing landscape of cyber threats necessitates the need for frequent user awareness. An educated user is less likely to fall victim to an adversary’s tactics if they are informed. Many cybersecurity breaches occur from careless user behavior that can be easily avoided with frequent user training. Documentation of this training should be recorded and retained to validate any compliance measures that an organization may adhere to.

Organizational resilience: A key goal of cybersecurity governance is the ability of an organization to, in the cyber environment, anticipate, prepare for and respond and adapt to both incremental change and sudden disruptions in order to survive and prosper. Good cybersecurity governance leads to organizational resilience. Effective cyber governance allows the company to make consistent and understandable decisions about its security measures, risk management and the overall cyber security posture.

Next week, we will discuss the importance of building organizational cyber resilience. We will highlight the need to build resilience into your risk framework by applying targeted strategies that most organizations can embrace with minimal technical expertise. The urgent need to maintain business continuity after a cyber incident is crucial, and only a thoroughly-developed resiliency plan will suffice.

Have input or ideas on this topic? Join the discussion by leaving your comments or questions in the section below or by using #MaritimeCyber on Twitter.

This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.

Leave a Reply