Security Program Justification (Capital One 2019)¶

Use this to justify the scope, resourcing, or structure of the security program; supports resource and organizational decisions.

Hallucinated writing examples¶

Scenario. In November 2020, following the July 2019 incident, the OCC Consent Order (August 6, 2020), and the consumer class-action settlement (time), the Chief Information Security Officer (role) must present a security program justification (type) to the CEO and Board Audit Committee (audience) for FY 2021. The justification must tie directly to the incident, Consent Order, and settlement. The CISO must explain why the program's scope, structure, and resourcing are adequate to meet Consent Order commitments and reduce regulatory and legal risk, and request approval for additional headcount and budget.

SECURITY PROGRAM JUSTIFICATION

To: Chief Executive Officer, Board Audit Committee
From: Chief Information Security Officer
Date: November 1, 2020
Subject: Security Program Scope, Structure, and Resource Request — FY 2021 (Post–July 2019 Incident; OCC Consent Order)

Program mission and context. The security program exists to protect customer and company data, maintain control effectiveness and evidence readiness, and meet regulatory and legal expectations. The July 2019 cybersecurity incident—unauthorized access to approximately 106 million individuals' data in our AWS-hosted infrastructure—resulted in an $80 million civil money penalty and Consent Order from the Office of the Comptroller of the Currency (August 6, 2020, OCC NR 2020-98) and consumer class-action litigation (settlement in In re Capital One Consumer Data Security Breach Litigation, E.D. Va.). Post-incident and Consent Order, the program's mission includes sustained remediation and demonstrable program maturity to satisfy the OCC and to support defensibility in any future regulatory or legal process.

Scope and current state. In scope: all systems processing [designated data]; cloud and on-premises; internal and third-party access. Current structure: [CISO org summary]. Headcount: [X]. Key capabilities: security engineering, risk and compliance, incident response, identity and access management, security operations. Consent Order workstreams are in progress; evidence mapping and audit readiness are ongoing. The Consent Order requires the Bank to strengthen risk management, board reporting, cloud security, and third-party risk; our current capacity is strained to deliver on those commitments while maintaining day-to-day operations.

Gap analysis and recommendation. Relative to the risk register and Consent Order: (1) Independent control validation capacity—we need sustained testing and audit support to evidence control effectiveness. (2) Logging and retention—expansion to full scope per Consent Order expectations. (3) Third-party risk—standardized evidence and review cadence. (4) Program metrics and board/OCC reporting—automation and consistency. Options considered: (1) Recommended: [additional headcount/budget] for [roles/initiatives] to close gaps and maintain Consent Order momentum. (2) Minimal: hold current—delays Consent Order deliverables and increases residual risk. (3) Enhanced: not recommended for FY 2021 absent [trigger]. We request approval of [X] FTE and [Y] budget for [initiatives]. Risks of inaction: Consent Order default, repeat exposure, and additional audit or regulatory findings. Execution will be tracked via program status and risk register.

Official document (program adequacy in enforcement and disclosure)¶

The OCC consent order and class settlement reflected scrutiny of whether Capital One’s program was adequate. Post-breach, the company had to justify (to the board and regulator) program scope, structure, and investment. 10-K and consent order commitments are the public face of that justification.

OCC Consent Order (2020): OCC Consent Order and Civil Money Penalty against Capital One — required program improvements (risk management, board reporting, cloud security); effectively a mandated program enhancement set.
Capital One 10-K: Capital One 10-K — describes program elements, governance, and investments; supports “program adequacy” narrative.
Settlement: Capital One Settlement — remediation and consumer commitments imply program scope and resourcing decisions.

Program justifications are usually internal; consent orders and 10-K show how regulators and investors judge program adequacy.

Writing analysis¶

How security program justifications are typically structured

Program mission — What the security program exists to achieve.
Scope — What is in scope (systems, data, business units).
Current state — Structure, headcount, and key capabilities.
Gap analysis — What is missing relative to risk and expectations.
Options — Alternative structures or resource levels.
Recommendation — Proposed scope, structure, and resources.
Evidence — Risk assessments, benchmarks, regulatory expectations.
Conclusion — Ask (approval, budget, headcount).

What to emulate

Reference risk register, regulatory guidance, and industry norms so the ask is evidence-based.
Clear “recommendation and ask” so decision-makers know exactly what is being requested.
Once approved, track execution in program status and risk register.

What to improve

Avoid justifying by headcount alone; tie to risk reduction, control coverage, and evidence readiness.
Include “risks of inaction” so the cost of under-investment is explicit.