When preparing for the evaluation of an organization’s cybersecurity capabilities against a regulatory framework, the amount of supporting documentation to be considered can seem overwhelming. To assist in getting one’s arms around the scope of activities involved in a cybersecurity program, there are a few high-level documents that are incredibly useful, but are often overlooked. One of those being the humble organizational chart. Often used to display the hierarchical oversight and reporting lines within an organization and its various functional departments, a detailed org chart can greatly assist an assessor, internal or external, to understand roles and responsibilities as they relate to numerous security control activities.

How much help could an org chart really provide, you may ask? Well, let’s use the NIST SP 800-171 framework as an example. The framework consists of 110 requirements divided across 14 “families” or domains. These families, to name a few, span from Access Control to Training & Awareness and Physical Security, as well as Maintenance, Personnel Security and Security Assessment. As one can see, the range of activities involved in successfully performing the requirements includes contributions from numerous functional departments, including Information Technology, Human Resources, Facilities, Software Development, Network Administration, Security, Legal, and others. Obviously, this all depends on the size and complexity of an organization as resource limitations at smaller companies require employees to wear many hats, but in general, a well-defined org chart can assist both management and an assessor to understand how responsibility for control activities are assigned within the broader organization. Finally, with the emerging focus on incident reporting becoming a common requirement across agency regulations, an org chart can be a great starting point to define the reporting process and ensure that the appropriate individuals at the requisite levels are informed and contributing to the process, as necessary.

So, what are some steps one could take when looking to utilize an org chart to assist with cybersecurity governance? Some helpful tips include:

  • Make it visual! A picture is worth a thousand words, as they say. Format the document to make it easy for the user to navigate visually.
  • Don’t include names, only positions. As turnover occurs, an org chart can quickly become out of date.
  • Repurpose the org chart to assist with cyber governance by including control references to signify who is responsible for what within the various departments.
  • Consider expanding the org chart to include a RASCI (Responsible, Accountable, Supportive, Consulted, Informed) matrix aligning roles with performance of security requirements.

Overall, an organizational chart can provide valuable insights into the structure and operations of an organization, which in turn can be used to identify the roles and responsibilities of the relevant parties tasked with the organization’s cybersecurity posture. This will enhance an organization’s ability to demonstrate compliance.