Created
September 6, 2022 22:48
-
-
Save opexxx/2bf84e97bcd9e9303a508506ee6549f1 to your computer and use it in GitHub Desktop.
Identify: Functional Area summary
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Asset Management | |
ID.AM-1: Physical devices and systems within the organization are inventoried | |
ID.AM-2: Software platforms and applications within the organization are inventoried | |
ID.AM-3: Organizational communication and data flows are mapped | |
ID.AM-4: External information systems are catalogued | |
ID.AM-5: Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value | |
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established | |
Business Environment | |
ID.BE-1: The organization’s role in the supply chain is identified and communicated | |
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated | |
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated | |
ID.BE-4: Dependencies and critical functions for delivery of critical services are established | |
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) | |
Governance | |
ID.GV-1: Organizational information security policy is established | |
ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles and external partners | |
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed | |
ID.GV-4: Governance and risk management processes address cybersecurity risks | |
Risk Assessment | |
ID.RA-1: Asset vulnerabilities are identified and documented | |
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources | |
ID.RA-3: Threats, both internal and external, are identified and documented | |
ID.RA-4: Potential business impacts and likelihoods are identified | |
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk | |
ID.RA-6: Risk responses are identified and prioritized | |
Risk Management Strategy | |
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders | |
ID.RM-2: Organizational risk tolerance is determined and clearly expressed | |
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis | |
Supply Chain Management | |
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders | |
ID.SC-2: Identify, prioritize and assess suppliers and third-party partners of information systems, components and services using a cyber supply chain risk assessment process | |
ID.SC-3: Suppliers and 3rd-party partners are required by contract to implement appropriate measures designed to meet the objectives of the Information Security program or Cyber Supply Chain Risk Management Plan | |
ID.SC-4: Suppliers and 3rd-party partners are routinely assessed to confirm that they are meeting their contractual obligations. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted | |
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment