Skip to content

Security Program Justification (Equifax 2017 Incident (2020 oversight))

Use this to justify the scope, resourcing, or structure of the security program; supports resource and organizational decisions.

Purpose

This justification explains why the scope and structure of the security program are necessary in response to Equifax 2017 Incident (2020 oversight), including capability gaps, risk reduction targets, and resource implications. It supports executive and board approval of sustained program maturity efforts.

Hallucinated writing examples

Scenario: In an illustrative period following federal Equifax enforcement orders and ongoing MDL settlement administration (time), the Chief Information Security Officer (role) prepares a security program justification (type) for Chief Executive Officer, Board Audit Committee (audience).

SECURITY PROGRAM JUSTIFICATION

To: Chief Executive Officer, Board Audit Committee
From: Chief Information Security Officer
Date: October 28, 2020
Subject: Security Program Scope, Structure, and Resource Request — FY 2021 (Post-2017 Incident Oversight)

Program Mission and Context: The program mission is to reduce enterprise exposure to vulnerabilities, privileged-access misuse, and evidence-readiness gaps while meeting ongoing federal enforcement and civil oversight expectations after the 2017 incident. Sustained program maturity is required to support regulators, auditors, and legal stakeholders.

Scope and Current State: Program scope includes internet-facing vulnerability governance, privileged access management, monitoring and retention controls, independent assessment response, and governance reporting. Current capabilities are active but stretched by concurrent remediation and assurance obligations across broad infrastructure.

Gap Analysis and Recommendation: Gaps remain in end-to-end validation capacity, SIEM coverage completion, and timely closure of high-priority findings. Options considered: (1) Recommended—approve expanded staffing and tooling budget focused on patch governance, PAM, and assessment closure operations. (2) Minimal—hold current capacity; rejected due to persistent residual risk and oversight pressure. (3) Enhanced multi-year acceleration; not recommended without additional trigger. We request [X] FTE and [Y] budget with quarterly board reporting and documented exception governance.

Document-type guide: Security Program Justification

Writing tips: Writing best practices — Security Program Justification

© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM