TG-CMA-1

Start at level 1: Select any service card below to see that topic's checklist items. As you check off items, watch how your maturity score evolves and where to focus next for maximum risk reduction and business impact.

LEVEL 5

Secure & Mature

Strategic governance, continuous improvement, competitive trust

Security Governance & Program Ownership

fCISO / DPO

vCISO / Fractional CISO Leadership

Security Roadmap and Charter

Policy Library Stewardship

Budget-to-Risk Alignment

Board-Level Oversight

Strategic Risk Governance

Quarterly Cyber Briefings

Risk Tolerance Definition

Executive Reporting Cadence

Fiduciary Acknowledgement

Security Metrics & KPI Dashboard

Reporting

MTTR/MTTD Tracking

Patch & Vuln-Aging Metrics

Phishing-Trend Analytics

Risk Score rending

Third-Party Security Audits

External Audits

SOC 2 / ISO Audit Coordination

External Assessment Scheduling

Remediation Tracking

Certification Management

Continuous Risk Management Framework

RMF

Risk Register Maintenance

Residual-Risk Acceptance

Control-Effectiveness Audits

Regulatory-Change Monitoring

Level Score

0 / 0 complete

LEVEL 4

Tested

Controls are actively exercised, validated, and proven under pressure

Tabletop Exercises & Testing

TTX / AAR

Scenario-Based Drills

Cross-Team Coordination

After-Action Summary

Prioritized Remediation Plans

Red / Purple Team Exercises

Simulation

Adversary Simulation

Social Engineering Testing

Physical Intrusion Checks

Executive Debrief

Threat Hunting

Detection

Hypothesis-Driven Hunts

MITRE ATT&CK Mapping

IOC/IOA Analysis

Dwell-time Reduction Reporting

Operationalized Threat Intelligence

Active Intel

Intel-driven Hunts

Real-Time Playbook Updates

Campaign Monitoring

Executive TI Briefings

Vendor Risk — Ongoing Enforcement

Continuous

Continuous Vendor Monitoring

Annual Questionnaire Reviews

Certification Validation

Risk-Based Escalation

Level Score

0 / 0 complete

LEVEL 3

Structured

Programs formally designed, assessed, and deployed — build before you test

Zero Trust Architecture

Level 3 — Structured

Device posture validation enforced

Conditional access policies active

Least privilege network segmentation

Identity-aware access controls

Continuous access evaluation

Disaster Recovery Plan (DRP)

Recovery

RTO/RPO Mapping

Failover Architecture

Annual DR Testing

Recovery Runbooks

Business Continuity Plan (BCP)

Resilience

Business Impact Analysis

Alternate Workflows

Communication Plans

Vendor Dependency Mapping

Security Framework Assessments

PCI DSS / NIST

NIST/ISO/PCI Mapping

Evidence Review

Remediation Roadmap

Certification Support

Penetration Testing

Manual Testing

Network/App/API Testing

Phishing & Social Engineering

Physical Security Testing

Retesting & Validation

Vendor & Supply Chain Risk

Third-Party

Critical Vendor Identification

Tiering and Scoring

Questionnaire Enforcement

SBOM & Dependency Checks

Secure SDLC

Level 3 — Structured

SAST integrated into CI/CD

DAST before production release

Dependency & container scanning

SBOM maintained for key software

IaC security scanning enforced

Threat Intelligence

Deployed → Operationalized

Industry-specific threat feeds integrated

IOC feeds into SIEM & EDR

EPSS-based vulnerability prioritization

Weekly intelligence digest

→ L4: Intel drives hunts & playbooks

Managed Detection & Response (MDR)

SOC Alternative

24×7 SOC Monitoring

Threat Containment

Incident Investigation

Continous Threat Reporting

Deception Technology

Honeypots

Honeypots & Honeytokens

Credential Decoys

Early lateral movement detection

Detection Refinement

External Attack Surface Mgmt (ASM)

ASM

External Asset Discovery

Domain/Cert Monitoring

Exposed Service Detection

Shadow IT Identification

SaaS Security Posture Mgmt (SSPM)

SSPM-Lite

M365 / Google Workspace posture

OAuth app permissions audit

Misconfiguration detection

SaaS data exposure alerts

AI Governance Program — Managed Capability

AI Program

Formal AI governance framework (NIST AI RMF / ISO 42001)

AI model lifecycle management defined

AI monitoring and logging implemented

AI output validation controls implemented

AI governance integrated with enterprise risk mgmt

AI Security & Adversarial Testing

AI / AppSec

AI apps included in security testing

Prompt injection risks evaluated

Model abuse scenarios tested

AI system logging enabled

Access controls applied to AI systems

AI output safeguards implemented

AI security responsibilities assigned

Level Score

0 / 0 complete

LEVEL 2

Fundamental

Detection, response capability & core data protection

IT Asset Discovery & Inventory

Asset Mgmt

Network-based discovery scan

Hardware & software inventory

Cloud asset visibility (CSPM)

EOL / EOS identification

Shadow IT detection

Secure Web & DNS Filtering

Level 2 — Fundamental

DNS filtering blocks malicious domains

Web content filtering enforced

Outbound threat protection enabled

Malicious domain sinkholing active

Integrated with detection workflows

Security Logging & Monitoring (SIEM)

SIEM

Centralized Log Aggregation

Alert Tuning and Noise Reduction

Retention Policies

Investigation Support

Incident Response Plan (IRP)

Response

IR Classification Matrix

Role and Escalation Mapping

Scenario-Based Playbooks

Post-Incident Review Workflows

Privileged Access Management (PAM)

Admin Control

Privileged account inventory

Just-in-time (JIT) access

Session recording & audit

Break-glass controls

Privileged password rotation

Continuous Vulnerability Management

Vuln Mgmt

Continuous Scanning

Severity-Based Workflows

Exception Tracking

SLA Reporting

Advanced Email Security

Gateway

Email threat protection gateway

SPF / DKIM / DMARC enforcement

Domain anti-impersonation

URL & attachment sandboxing

BEC / executive spoof protection

BEC / Funds Transfer Controls

Finance Controls

Dual approval for payment changes

Out-of-band verification

Finance mailbox rule controls

BEC incident playbook

Web Application Firewall (WAF)

Web Protection

OWASP Top 10 rule sets

Bot management

DDoS protection layer

SSL termination & inspection

Custom rule tuning

Data Loss Prevention (DLP)

DLP

Sensitive data classification

Egress monitoring & blocking

Cloud DLP (M365 / Google)

Endpoint DLP policies

Dark Web Monitoring

Identity Risk

Credential Leak Detection

Domain/Brand Alerts

Executive Exposure Monitoring

Remediation Guidance

Vulnerability Scanning (Internal & External)

Attack Surface

Authenticated Scanning

Continuous external scan

Cloud infrastructure scanning

Risk-ranked findings report

Findings ownership assignment

AI Risk Management — Controlled Adoption

AI Risk Mgmt

AI risk assessment before adoption

AI included in vendor risk management

AI data handling standards defined

AI use cases documented

Human oversight defined for AI outputs

AI risk register maintained

Shadow AI & AI Data Leakage Detection

AI / DLP

Shadow AI usage monitoring (CASB / SSE / DNS)

AI tool access controlled technically

Sensitive data detection in AI prompts

Approved AI platforms enforced technically

AI usage activity logged

AI data leakage incidents investigated

Level Score

0 / 0 complete

LEVEL 1

Foundational

Prevents 90% of common attacks — core controls every org must have

Identity & Access Control (IAM)

Foundation

User Lifecycle & RBAC

Quarterly access reviews

Admin & Service Account Cleanup

MFA Pre-requisites and CA Foundations

Multi-Factor Authentication (MFA)

Access

MFA For All Users

Admin MFA Enforcement

Phishing-resistant MFA (FIDO2)

MFA Coverage Reporting

Endpoint Management

Level 1 — Foundational

MDM deployed

Device compliance enforced

Patch & config centrally managed

Asset inventory synchronized

Unauthorized devices blocked

Endpoint Protection & Response (EDR)

Endpoint

EDR agent deployment coverage

Protection baseline policy

Endpoint coverage & health reporting

Automated threat containment

Mobile device management (MDM)

Secure Configuration Standards

Hardening

CIS Benchmark baselines

Secure build / image standards

Application allowlisting

Configuration drift detection

Core security policy baseline

Vulnerability & Patch Management

Updates

Routine Patch Cycles

Critical-Patch SLA's

Third-Party App Updates

Emergency Patching Workflows

Data Encryption (Rest & Transit)

Rest & Transit

Full-disk encryption (BitLocker / FileVault)

Database encryption at rest

TLS 1.2+ enforced everywhere

Key hygiene & rotation policy

Certificate inventory & expiry monitoring

Remote Access Security (ZTNA/VPN)

Network

Secure Remote Access Enforcement

Geo/IP Policy Controls

Device Posture Check

Privileged Remote Access Governance

Network Segmentation & Firewall Hygiene

Containment

VLAN / zone segmentation design

Firewall rule review & cleanup

Perimeter exposure reduction

Micro-segmentation for critical assets

Web & DNS threat filtering

Security Awareness & Phishing Simulation

Human Firewall

Monthly Phishing Tests

Periodic Training Modules

Social Engineering Awareness

Role-based Training

Password Management

Credential Vault

Enterprise password vault deployment

Password policy enforcement

Secrets & service account vault

Shared credential elimination

Breach password monitoring

Backup & Recovery

Ransomware Survival

3-2-1 backup architecture

Immutable / air-gapped backups

Recovery test & evidence

Ransomware-resilient architecture

RTO / RPO validation

Maturity Evidence & Stakeholder Reporting

Program Visibility

Executive maturity summary reporting

Control attestation documentation

Risk posture trend reporting

Board-ready security dashboards

AI Governance — Foundational Awareness

AI Governance

AI usage policy established

Sensitive data prohibited in public AI tools

Approved AI tool list defined

AI governance ownership assigned

AI included in security awareness training

AI usage inventory created

AI incidents in incident response

Level Score

0 / 0 complete

Cybersecurity Maturity Advisor^℠ [CMA]

Always Included

Optional Sections

Report Mode

Quick Info