Cross-Organizational Team (X-Team): Mission, Goals, Objectives, and Composition


This sample artifact describes the cross-organizational team (X-team) mission, goals, objectives, and composition as identified in Article 2: Defining an Effective Enterprise Security Program, Table 1, and Article 3: Enterprise Security Governance Activities. This artifact is not meant to stand alone — rather it should be interpreted in the context of these articles. We hope business leaders will find it useful as an aid in building a governance-based security program.

X-Team Mission

The mission of the cross-organizational team (X-team) is

  • to develop, coordinate, and sustain the organization's enterprise security program (ESP)
  • to fulfill the need for an enterprise-wide perspective in
    • coordinating and responding to security risk issues and incidents
    • developing, implementing, and maintaining the organization’s risk management plan (RMP), enterprise security strategy (ESS), and enterprise security plan 

X-Team Goals

In carrying out its mission, the X-team shall achieve the following goals:

  • Coordinate and communicate security risk issues to ensure they receive enterprise attention as well as adequate and timely responses throughout the organization.
  • Ensure that the enterprise security program (ESP) is an active, current, and sustained program, reflected in day-to-day roles, responsibilities, and business processes.
  • Facilitate and support the development, implementation, and maintenance of the organization's risk management plan (RMP), enterprise security strategy (ESS), and enterprise security plan (including supporting plans, such as incident response and disaster recovery) through participation in specified activities.
  • Manage the security of digital assets1 in alignment with the RMP, ESS, and enterprise security plan.

X-Team Objectives

The X-team shall accomplish the following objectives in meeting these goals: 

  • Serve as a central coordination and response point by meeting no less than monthly to discuss security issues and monitor progress on ESP tasks.
  • Develop and maintain a comprehensive inventory of systems, including system descriptions, ownership, and custody of assets.
  • Identify and maintain a table of authorities for compliance requirements and mappings of assets to the table.
  • Map data flows across jurisdictions.
  • Map corresponding cybercrime and breach compliance laws to the data flows.
  • Conduct security threat and risk self-assessments annually and formal assessments every third year.
  • Provide security input to the risk management plan.
  • Develop an enterprise security strategy and enterprise security plan for board risk committee (BRC) approval.
  • Categorize assets by levels of risk as well as magnitude of harm and impact.
  • Determine, review, and update security controls, key performance indicators, and metrics.
  • Develop and update supporting plans for the enterprise security plan, including incident response, business continuity/disaster recovery, and crisis communication plans.
  • Develop, update, and verify third party and vendor security requirements.
  • Develop and update security policies and procedures.
  • Develop and update security system architecture plan.
  • Develop and update ESP implementation and training plans.
  • Monitor and enforce RMP, ESS, and ESP policies and procedures.
  • Test and evaluate system controls.
  • Identify system weaknesses and plans of action and milestones (POAMs).
  • Conduct formal annual reviews of the ESP.

X-Team Composition

The X-team shall be chaired by the chief security officer (CSO) and be comprised of the following additional personnel:

  • chief information security officer (CISO) (if this role is separate from the CSO)
  • chief risk officer (CRO)
  • chief privacy officer (CPO)
  • chief information officer (CIO)
  • chief financial officer (CFO)
  • general counsel (GC)
  • business line executives (BLEs)
  • vice president of human resources (HR)
  • vice president of public relations (PR)

1   Digital assets include networks, information, and applications, and their grouping into systems.