NIST Checklist

1
(No Transcript)
2
Functions Functions Specified by NIST Implementation of Function Expected Results
Identify Identify Identify Identify
ID.AM Asset Management ID.AM Asset Management ID.AM Asset Management ID.AM Asset Management
ID.AM.1 The organization conducts an inventory of physical devices and systems. To reflect changes in the infrastructure, ensure that the organization establishes and consistently updates an inventory encompassing all physical devices and systems. Documentation detailing the inventory records of physical devices and systems, including the procedures for maintaining and updating this inventory, should be created.
ID.AM.2 The organization maintains an inventory of software platforms and applications in use. Check if the organization established and upheld a record of all software platforms and applications. Ensure that the inventory is constantly refreshed to reflect alterations in software assets. Documents covering inventory records of software platforms and applications, along with protocols detailing the maintenance and updating procedures for the software inventory.
ID.AM.3 Communication pathways and data flows within the organization are charted or mapped out. Confirm that the organization mapped its communication and data flows to comprehend information transmission and storage and regularly reviewed and updated these maps. Provide documentation illustrating communication and data flow diagrams accompanied by an outline of the mapping and updating process.
ID.AM.4 External information systems are listed or inventoried. Check that the organization compiled all external information systems interacting with its network or data and consistently updated the catalog to reflect any changes in these external systems. Provide an inventory of external information systems along with documentation detailing the procedure for cataloging and updating these external systems.
ID.AM.5 Assets such as hardware, devices, data, time, personnel, and software are ranked according to their classification, criticality, and business significance to determine their prioritization. Ensure that the organization categorizes its resources according to their classification, criticality, and business value and establishes criteria for prioritizing them. Document the resource categorization and prioritization, including documentation specifying the criteria employed for prioritization.
ID.AM.6 Roles and responsibilities in cybersecurity are defined for the entire workforce and external stakeholders, including suppliers, customers, and partners. Ensure that cybersecurity roles and responsibilities have been outlined for all employees and third-party stakeholders and that they have been documented and communicated. Documentation outlining cybersecurity roles and responsibilities should be kept alongside communication records and training on these specific roles and responsibilities.
www.infosectrain.com I sales_at_infosectrain.com
3
Funtions Functions Specified by NIST Implementation of Function Expected Results
Identify Identify Identify Identify
ID.BE Business Environment ID.BE Business Environment ID.BE Business Environment ID.BE Business Environment
ID.BE.1 The organization recognized and conveyed its role within the supply chain. Verify that the organization has acknowledged its position within the supply chain and has successfully communicated these designated roles internally and to relevant stakeholders. Documentation delineating the organizations position in the supply chain, along with records of communications related to these supply chain roles.
ID.BE.2 The organization identified and communicated its position within critical infrastructure and industry sectors. Confirm that the organization identified its role in critical infrastructure and industry sectors and effectively communicated this information internally and to relevant parties. Provide documentation detailing the organizations placement in critical infrastructure and industry sectors, alongside records of communications concerning this positioning within critical infrastructure and industry sectors.
ID.BE.3 The organization has set and conveyed priorities for its mission, objectives, and activities. Confirm whether the organization has set, documented, and efficiently communicated its priorities for its mission, objectives, and activities to relevant personnel and stakeholders. Documentation outlining the priorities for the organizations mission, objectives, and activities, along with records of communications about these priorities.
ID.BE.4 Ensure that dependencies and essential functions necessary for providing critical services are identified and established. Ensure the organization has identified, documented, and regularly reviewed dependencies and essential functions for delivering critical services. Documentation listing dependencies, basic procedures, and records documenting regular reviews and updates should be maintained.
ID.BE.5 Resilience must facilitate delivering critical services determined for all operational conditions (such as under stress or attack, during recovery, and normal operations). Ensure that resilience requirements for essential services across various operational states- such as during attack, recovery, and normal operations- have been established, documented, and integrated into the organizations processes and procedures. Document resilience requirements for critical services in diverse operational states, integrated into relevant processes and procedures.
www.infosectrain.com I sales_at_infosectrain.com
4
Functions Functions Specified by NIST Implementation of Function Expected Results
Identify Identify Identify Identify
ID.GV Governance ID.GV Governance ID.GV Governance ID.GV Governance
ID.GV.1 A cybersecurity policy for the organization has been created and shared. Confirm the existence of a comprehensive cybersecurity policy document that covers roles, responsibilities, compliance, and cybersecurity measures, and ensure theres a documented procedure for sharing it with all employees and relevant external parties. The cybersecurity policy document includes records indicating its distribution, employee acknowledgment receipts, briefing minutes, training materials, and attendance records demonstrating policy communication.
ID.GV.2 Roles and responsibilities in cybersecurity are synchronized and matched with internal positions and external partners. Verify that cybersecurity roles and responsibilities within the organization are clearly defined, that there is documented coordination between internal and external roles, and that these roles and responsibilities are regularly reviewed and updated. Job descriptions detailing cybersecurity responsibilities, along with contracts or Service Level Agreements (SLAs) with third parties delineating cybersecurity roles, in addition to documented records of meetings or communications related to role coordination.
ID.GV.3 The organization comprehends and effectively handles cybersecurity legal and regulatory obligations, encompassing responsibilities for privacy and civil liberties. Identify and ensure compliance with all pertinent legal and regulatory requirements. Implement policies and procedures to manage adherence while verifying consistent training and updates on changes within these laws and regulations. Consolidate compliance checklists or matrices outlining requirements, documented procedures and controls for compliance, and training logs and materials covering legal and regulatory requirements.
ID.GV.4 Governance and risk management procedures effectively manage cybersecurity risks. Assess the alignment of risk management governance with cybersecurity risks, review procedures for identifying and mitigating cybersecurity risks, and confirm the integration of these risks into the organizations overall risk management approach. Consolidate risk management policies and procedures, risk assessment reports, risk treatment plans, and meeting minutes or reports demonstrating the incorporation of cybersecurity risk into the enterprise risk management framework.
www.infosectrain.com I sales_at_infosectrain.com
5
Functions Functions Specified by NIST Implementation of Function Expected Results
Identify Identify Identify Identify
ID.RA Risk Assessment ID.RA Risk Assessment ID.RA Risk Assessment ID.RA Risk Assessment
ID.RA.1 Identify and document vulnerabilities related to assets. Verify the existence of an asset inventory,and ensure regular performance of vulnerability scans, and documentation and evaluation of identified vulnerabilities. Create a comprehensive asset inventory, vulnerability scan reports, and documented assessments of identified vulnerabilities.
ID.RA.2 Information on cyber threats is acquired from forums and various sources for intelligence gathering. Evaluate the organizations involvement in cyber threat intelligence-sharing platforms, examine the procedure for receiving and distributing threat intelligence, and assess how the acquired intelligence influences security practices. Evidence of membership in information-sharing forums, with records of received threat intelligence and documented utilization of intelligence within the organizations cybersecurity strategy, should be present.
ID.RA.3 Internal and external threats are recognized and recorded. Confirm the existence of a threat identification methodology, review documented records of identified threats, and ensure comprehensive consideration of internal and external threats. Consolidate threat assessment reports or logs, documentation detailing the threat identification process, and records of identified internal and external threats.
ID.RA.4 Potential consequences for the business, and their probabilities are determined. Verify the presence of a procedure for assessing potential threat impacts, evaluate the probability of threat occurrence, and examine the integration of these assessments into the overarching risk management strategy. Consolidate business impact analysis reports, documentation of probability assessments, and risk analysis reports that combine impact and likelihood assessments.
ID.RA.5 Risk is assessed by considering threats, vulnerabilities, probabilities, and impacts. Evaluate the incorporation of threat, vulnerability, impact, and likelihood data into the risk assessment procedure, ensure the completion of comprehensive risk assessments integrating these elements, and review the process of updating and reflecting this information in risk documentation. Merge comprehensive risk assessment reports with risk matrices or dashboards displaying the amalgamation of these elements alongside change logs or updates reflecting the evolution of risk assessments over time.
ID.RA.6 Identify and rank risk responses based on priority. Confirm the presence of documented risk responses, examine the criteria used to prioritize these responses, and ensure the risk response process remains adaptable and responsive to shifts in the risk environment. Consolidate risk response plans or procedures, documentation outlining the prioritization of risk responses, and records demonstrating the implementation and modifications of risk responses.
www.infosectrain.com I sales_at_infosectrain.com
6
Functions Functions Specified by NIST Implementation of Function Expected Results
Identify Identify Identify Identify
ID.RM Risk Management Strategy ID.RM Risk Management Strategy ID.RM Risk Management Strategy ID.RM Risk Management Strategy
ID.RM.1 Organizational stakeholders establish, manage, and consent to the risk management processes in place. Validate the presence of established formal procedures for managing risks within the organization. Examine documentation to ensure a well-defined and widely communicated risk management process. Verify stakeholder involvement in risk management through meeting records or documented decisions. Confirm clear assignment and comprehension of roles and responsibilities related to risk management. Evaluate the mechanisms used to monitor and review the ongoing management of the risk process. Consolidate risk management policy and procedure documents, meeting minutes reflecting stakeholder engagement, outlining roles and responsibilities for risk management, and records detailing periodic reviews and updates to the risk management process.
ID.RM.2 The organization determines and explicitly communicates its risk tolerance. Examine if theres a formal declaration or policy outlining the organizations risk tolerance, ensuring clear communication and understanding of these levels among those engaged in risk-related decision-making, while reviewing records referencing risk tolerance in decision processes. Consolidate official documentation outlining the organizations risk tolerance, supporting evidence of communicated risk tolerance (e.g., emails, training materials), and decision-making records demonstrating the integration of risk tolerance as a factor.
www.infosectrain.com I sales_at_infosectrain.com
7
Functions Specified by NIST Implementation of Function Expected Results
Identify Identify Identify Identify
ID.SC Supply Chain Risk Management ID.SC Supply Chain Risk Management ID.SC Supply Chain Risk Management ID.SC Supply Chain Risk Management
ID.SC.1 The organizations stakeholders identify, establish, assess, manage, and mutually agree upon processes for managing cyber supply chain risks. Ensure documentation and implementation of cyber supply chain risk management (C-SCRM) processes, confirming stakeholder consensus and understanding, reviewing mechanisms for supply chain risk assessment and management while verifying stakeholder engagement in developing and maintaining C-SCRM processes. Consolidate C-SCRM policies and procedures, records demonstrating stakeholder agreement and involvement (e.g., meeting minutes or signed acknowledgments), and supply chain-related risk assessment documentation.
ID.SC.2 The cyber supply chain risk assessment process identifies, prioritizes, and evaluates suppliers and third-party partners providing information systems, components, and services. Confirm the existence of a comprehensive list detailing all suppliers and third-party partners and their provided services or components, coupled with a documented risk assessment process for these entities prioritize suppliers based on the criticality of their service or component to the organization. Combine the inventory of suppliers and third- party partners, cyber supply chain risk assessment reports, and documented evidence detailing the prioritization of suppliers according to assessed risks.
ID.SC.3 Agreements with suppliers and third- party partners are employed to enact suitable measures to fulfill the goals of an organizations cybersecurity program and Cyber Supply Chain Risk Management Plan. Examine contracts to verify the inclusion of cybersecurity requisites consistent with the organizations cybersecurity program, ensure that clauses are present outlining Cyber Supply Chain Risk Management (C-SCRM) objectives, and confirm service level agreements (SLAs) that articulate cybersecurity expectations. Consolidate copies of contracts containing cybersecurity clauses, Service Level Agreements (SLAs) specifying cybersecurity requirements, and a Cyber Supply Chain Risk Management (C-SCRM) plan delineating the contractual measures to be implemented.
ID.SC.4 Regular assessments, including audits, test outcomes, or alternative evaluations, are conducted on suppliers and third-party partners to verify their compliance with contractual obligations. Ensure regular assessments of suppliers and third-party partners align with contractual obligations, reviewing the methods and frequency of these evaluations and verifying the existence of established processes to address identified issues or gaps. Consolidate audit reports, test results, or evaluation documents related to suppliers and third-party partners alongside schedules and procedures for regular assessments while maintaining records of subsequent actions taken upon identification of issues.
ID.SC.5 Response and recovery planning and testing are carried out in collaboration with suppliers and third-party providers. Evaluate the integration of suppliers and third-party providers within the organizations incident response and recovery plans, reviewing test plans and records to confirm their inclusion, while assessing the response and recovery plans effectiveness via testing documentation. Combine incident response and recovery plans outlining roles and responsibilities for suppliers and third parties, test plans and records involving these entities, and after-action reports or improvement plans resulting from joint response and recovery testing.
www.infosectrain.com I sales_at_infosectrain.com
8
(No Transcript)