The organization has established basic accountability for offensive security outcomes. Roles are defined, remediation is tracked, and leadership is informed of results on a defined cadence. Governance is reactive, it responds to findings rather than shaping the program, but it is consistent enough to build on.
Outcomes
- ·Roles and responsibilities for offensive security are defined and documented
- ·Remediation is tracked with assigned ownership and target timelines
- ·Security or IT management reviews test results on a defined cadence
- ·Testing schedule, ownership, and documentation requirements are outlined in policy or SOPs
- ·Leadership acknowledges offensive security outcomes and their operational implications
Actions
- 01Document roles and responsibilities for offensive security
- 02Implement a remediation tracking process with assigned owners, priority levels, and target closure dates
- 03Establish a leadership review cadence, on a defined schedule, not on demand
- 04Capture testing cadence, ownership, and documentation requirements in policy or SOPs
Sustainment Criteria
All criteria must be met to hold this level. If any criterion is unmet at reassessment, consider yourself at the previous level.
Roles and responsibilities for offensive security are documented and current
All findings have an assigned owner and a tracked remediation status
Leadership reviews assessment results on a defined cadence and can speak to trends over time
Testing cadence and ownership are captured in policy or SOP
Remediation progress is reported to management on a defined schedule
Practitioner note
G2 governance is process-driven but not yet strategically integrated. The distinction between G1 and G2 is not just the presence of a tracking process but the presence of a review cadence. Results that are accessible but never reviewed on a schedule provide weaker accountability than results formally reviewed on a defined cycle.
Moving to G3
Develop a documented offensive security strategy connected to existing risk practices, identify and engage a genuine executive sponsor, define formal remediation SLAs with escalation, and document how findings inform risk decision-making.
Corresponding Technical Practice level
T2 Repeatable
Organizations often develop these axes at different rates. Compare your position on both.