Phase 1: Project Governance - Training Guide

Mission Briefing

Welcome, Cyber Surveyor. Your first mission at Tachyon Heavy Industries' Mars Shipyard involves establishing the foundation for successful E26 implementation across their new fleet of mining vessels. Project Governance is not merely administrative overhead—it is the backbone that will support all subsequent cybersecurity efforts.

In the vacuum of space, clear communication and well-defined responsibilities can mean the difference between mission success and catastrophic failure. The governance structure you establish now will determine how effectively THI can implement cybersecurity controls throughout the vessel lifecycle.

E26 Regulatory Context

The IACS UR E26 regulation requires a systematic approach to cybersecurity that begins with clear governance. While not explicitly mandating specific governance structures, E26 requires:

• Clear assignment of cybersecurity responsibilities
• Documented processes for risk management
• Established communication channels for security issues
• Defined procedures for managing cybersecurity documentation

These requirements are foundational to demonstrating compliance during ABS certification reviews.

Your Mission Objectives

As an ABSC Cyber Integrator, you must:

1. Establish a project governance structure that clearly defines roles and responsibilities
2. Create communication protocols for cybersecurity matters
3. Develop project documentation templates and management processes
4. Implement risk and issue management frameworks
5. Establish change control procedures

The Challenges You Face

THI's Mars Shipyard is a complex environment with multiple stakeholders:

• THI Engineering teams focused on vessel functionality
• THI Production teams concerned with construction timelines
• Equipment suppliers with varying cybersecurity capabilities
• ABS surveyors who will ultimately certify the vessels
• Vessel owners with specific operational requirements

Many of these stakeholders view cybersecurity as a regulatory burden rather than a critical safety feature. Your governance structure must balance their concerns while ensuring E26 requirements are met.

Quest Path: Establishing Project Governance

Step 1: Stakeholder Identification and Analysis

Your first task is to identify all stakeholders involved in the vessel cybersecurity implementation and analyze their interests, influence, and concerns.

Interactive Challenge: You discover that the THI Production Manager has been excluding the Cybersecurity Team from design review meetings to "save time." How do you address this without creating conflict?

Options:

• Escalate to THI executive leadership
• Demonstrate the value of cybersecurity input through a specific example
• Propose a streamlined format for cybersecurity participation
• Implement a formal governance structure requiring cybersecurity sign-off

Optimal Approach: Propose a streamlined format for cybersecurity participation that minimizes impact on meeting duration while ensuring critical security considerations are addressed. Follow this with implementing a formal governance structure that institutionalizes this approach.

Step 2: Governance Structure Development

Based on your stakeholder analysis, develop a governance structure that clearly defines:

• Roles and responsibilities for cybersecurity implementation
• Decision-making authorities and escalation paths
• Meeting cadence and participation requirements
• Documentation and reporting requirements

Procedural Guide:

1. Create a RACI matrix (Responsible, Accountable, Consulted, Informed) for all cybersecurity activities
2. Develop a project organization chart showing reporting relationships
3. Define escalation paths for security issues of varying severity
4. Establish a Cybersecurity Steering Committee with representatives from all key stakeholder groups
5. Document meeting schedules, formats, and required participants

Deliverable: Project Governance Structure Document

Step 3: Communication Protocol Development

Establish clear protocols for how cybersecurity information will be communicated, including:

• Regular status reporting
• Security incident notification
• Technical query processes
• Documentation distribution and access controls

Procedural Guide:

1. Define standard communication channels for different types of information
2. Create templates for status reports, incident notifications, and technical queries
3. Establish classification guidelines for security-sensitive information
4. Implement secure communication methods for sensitive data
5. Define response time expectations for different communication types

Interactive Challenge: A potential zero-day vulnerability has been identified in a critical system component. Who needs to be notified, through what channels, and with what urgency?

Deliverable: Communication Protocol Document

Step 4: Documentation Management

Develop a comprehensive approach to managing project documentation, including:

• Document templates and standards
• Version control procedures
• Review and approval workflows
• Storage and access controls
• Retention policies

Procedural Guide:

1. Create a document hierarchy showing relationships between different document types
2. Develop templates for key document types (risk assessments, security designs, test plans)
3. Establish naming conventions and version control procedures
4. Define review and approval workflows for different document types
5. Implement access controls based on document sensitivity

Deliverable: Documentation Management Plan

Step 5: Risk and Issue Management

Establish frameworks for identifying, assessing, and managing risks and issues throughout the project lifecycle.

Procedural Guide:

1. Create risk and issue registers with clear categorization schemes
2. Define risk assessment methodologies aligned with E26 requirements
3. Establish risk treatment planning processes
4. Implement issue tracking and resolution procedures
5. Define escalation criteria for high-impact risks and issues

Interactive Challenge: The project timeline has been compressed by three months due to market pressures. How do you assess and manage the cybersecurity risks this creates?

Deliverable: Risk and Issue Management Framework

Step 6: Change Control Procedures

Develop procedures for managing changes to project scope, requirements, or designs, ensuring cybersecurity impacts are properly assessed.

Procedural Guide:

1. Create a change request template that includes cybersecurity impact assessment
2. Define change evaluation criteria and approval thresholds
3. Establish a Change Control Board with appropriate representation
4. Implement change implementation and verification procedures
5. Develop change communication protocols

Deliverable: Change Control Procedure Document

Mission Completion Criteria

Your mission will be considered complete when:

1. All deliverables have been created and approved by key stakeholders
2. The governance structure has been implemented and is functioning effectively
3. Initial project kickoff has been conducted using the new governance framework
4. ABS has reviewed and accepted the governance approach

Rewards and Advancement

Successful completion of this mission will:

• Establish your credibility with THI leadership
• Create the foundation for all subsequent cybersecurity work
• Unlock access to Phase 2: Risk Identification & Scoping
• Earn you the "Governance Architect" achievement in your surveyor profile

Knowledge Resources

• IACS UR E26 Section 5.1: "Demonstration of compliance during design and construction phases"
• ABS Consulting Best Practices for Cybersecurity Project Governance
• THI Organizational Structure and Decision-Making Processes
• NIST Special Publication 800-39: Managing Information Security Risk

Remember, Surveyor: in the void of space, clear governance is your first line of defense against the chaos of cyber threats. Establish it well, and all other security measures will follow more effectively.

Good luck on your mission. The safety of future crews depends on your success.