Security Program Justification (Yahoo MDL (2018))¶
Use this to justify the scope, resourcing, or structure of the security program; supports resource and organizational decisions.
Purpose¶
This justification explains why the scope and structure of the security program are necessary in response to Yahoo MDL (2018), including capability gaps, risk reduction targets, and resource implications. It supports executive and board approval of sustained program maturity efforts.
Hallucinated writing examples¶
Scenario: In an illustrative period during Yahoo MDL motion practice after public disclosures of large-scale account compromise (time), the Chief Information Security Officer (role) prepares a security program justification (type) for Chief Executive Officer, Board Audit Committee (audience).
SECURITY PROGRAM JUSTIFICATION
Program Mission and Context: The security program exists to protect user account data, maintain reliable detection and evidence readiness, and support legal defensibility under ongoing MDL scrutiny. Following public disclosure of large-scale account compromise and subsequent litigation developments, the program mission requires sustained remediation and measurable maturity across identity, monitoring, and governance—not one-time response actions.
Scope and Current State: In scope are systems and processes supporting user account security, access governance, logging/retention, incident response, and litigation-evidence workflows across legacy and acquired platforms. Current organization includes security engineering, operations, and risk/compliance functions; however, capacity remains constrained relative to required remediation pace and evidence demands.
Gap Analysis and Recommendation: Key gaps include uneven logging and retention coverage, inconsistent identity governance across legacy systems, and limited dedicated capacity for legal-hold evidence preparation and governance reporting. Options considered: (1) Recommended—expand core program staffing and operating budget to close identified gaps and sustain governance cadence. (2) Minimal—maintain current staffing and defer lower-priority closures; rejected due to increased residual risk and discovery friction. (3) Enhanced—accelerated expansion beyond current fiscal tolerance. We request approval of [X] FTE and [Y] budget for FY 2019, with monthly program reporting and risk-register linkage.
Document-type guide: Security Program Justification
Writing tips: Writing best practices — Security Program Justification