Risk Management

• Risk Management Framework - CG.RM.1

  A formal cybersecurity strategy is established and integrated into the overall business strategy and risk management processes.

• Risk Appetite and Tolerances - CG.RM.2

  Cybersecurity risk appetite and tolerances are defined documented and communicated across the organization.

• Cybersecurity Roles and Responsibilities - CG.RM.3

  Cybersecurity roles responsibilities and accountability are defined and assigned across the organization.

• Comprehensive Policies Procedures and Standards - CG.PP.1

  Comprehensive cybersecurity policies procedures and standards are developed approved communicated and regularly reviewed and updated.

• Key Cybersecurity Areas Addressed - CG.PP.2

  Policies procedures and standards address key cybersecurity areas including but not limited to access control data security incident response and vendor management.

• Board and Senior Management Oversight - CG.OA.1

  The board of directors and senior management actively oversee and are accountable for the organization’s cybersecurity risk management program.

• Independent Review and Testing - CG.OA.2

  Independent reviews and testing of the cybersecurity program are conducted periodically.

Information Sharing

• Internal Information Sharing - TIC.IS.1

  Threat intelligence and other relevant cybersecurity information are shared effectively across relevant internal stakeholders.

• External Information Sharing - TIC.IS.2

  The organization participates in external information sharing forums and leverages external threat intelligence sources.

• Threat Landscape Awareness - TIC.TA.1

  The organization maintains awareness of the current and evolving threat landscape relevant to its operations.

• Vulnerability Management - TIC.TA.2

  A robust vulnerability management program is in place to identify assess and remediate vulnerabilities in a timely manner.

Security Architecture

• Secure Design Principles - CC.SA.1

  Cybersecurity considerations are integrated into the design and implementation of systems and applications.

• Network Segmentation - CC.SA.2

  The network is segmented to limit the impact of security incidents.

• Least Privilege - CC.AA.1

  Access to systems applications and data is based on the principle of least privilege.

• Multi-Factor Authentication - CC.AA.2

  Multi-factor authentication is implemented for privileged accounts and where appropriate for other accounts.

• Physical Access Controls - CC.AA.3

  Physical access to critical facilities and data centers is appropriately controlled and monitored.

• Remote Access Controls - CC.AA.4

  Remote access to the organization’s network and systems is secured and monitored.

• Data Encryption at Rest - CC.SD.1

  Sensitive data at rest is encrypted.

• Data Encryption in Transit - CC.SD.2

  Sensitive data in transit is encrypted.

• Secure Configuration Management - CC.SD.3

  Secure configuration standards are established implemented and maintained for all systems and devices.

• Patch Management - CC.SD.4

  A comprehensive patch management program is in place to ensure timely application of security patches.

• Malware Protection - CC.SD.5

  Appropriate malware protection measures are implemented and kept up to date.

• Data Backup and Recovery - CC.SD.6

  Regular data backups are performed and a recovery plan is in place and tested.

• Secure Disposal of Information and Devices - CC.SD.7

  Information and devices are securely disposed of when no longer needed.

• Logging and Monitoring of System Activity - CC.SD.8

  System activity is logged and monitored for suspicious or malicious behavior.

• Firewalls and Intrusion Prevention Systems - CC.BD.1

  Firewalls and intrusion prevention systems are implemented and properly configured to control network traffic.

• Email Security - CC.BD.2

  Email security measures are in place to protect against phishing and other email-borne threats.

• Web Security - CC.BD.3

  Web security measures are implemented to protect against web-based attacks.

• Physical Security Controls - CC.PS.1

  Physical security controls are implemented to protect IT assets and facilities from unauthorized access and environmental hazards.

Vendor Risk Management

• Vendor Identification and Assessment - EDM.VM.1

  A process is in place to identify and assess the cybersecurity risks associated with third-party service providers.

• Due Diligence and Background Checks - EDM.VM.2

  Appropriate due diligence and background checks are conducted on third-party service providers.

• Contractual Requirements - EDM.VM.3

  Cybersecurity requirements are included in contracts with third-party service providers.

• Service Level Agreements - EDM.VM.4

  Service level agreements with vendors address cybersecurity expectations and responsibilities.

• Ongoing Monitoring of Vendors - EDM.MO.1

  The cybersecurity practices of third-party service providers are monitored on an ongoing basis.

• Periodic Reviews and Audits - EDM.MO.2

  Periodic reviews and audits of critical third-party service providers are conducted.

• Incident Response Coordination with Vendors - EDM.MO.3

  Processes are in place to coordinate incident response activities with third-party service providers.

Incident Management

• Incident Response Plan Development - IRR.IM.1

  A comprehensive incident response plan is developed that includes roles responsibilities communication procedures and contact information.

• Incident Response Plan Testing - IRR.IM.2

  The incident response plan is tested regularly through various methods such as tabletop exercises and simulations.

• Incident Identification and Analysis - IRR.IM.3

  Processes are in place to identify analyze and prioritize cybersecurity incidents.

• Incident Containment and Eradication - IRR.IM.4

  Procedures are established for containing and eradicating cybersecurity incidents.

• Incident Recovery - IRR.IM.5

  Procedures are in place for recovering from cybersecurity incidents and restoring affected systems and services.

• Post-Incident Activities and Lessons Learned - IRR.IM.6

  Post-incident reviews are conducted to identify lessons learned and improve incident response procedures.

• Business Continuity Plan Development - IRR.BC.1

  A comprehensive business continuity plan is developed to ensure the continuity of critical operations during disruptions.

• Business Continuity Plan Testing - IRR.BC.2

  The business continuity plan is tested regularly to ensure its effectiveness.

• Disaster Recovery Plan Development - IRR.BC.3

  A comprehensive disaster recovery plan is developed to ensure the recovery of IT systems and data following a significant disruption.

• Disaster Recovery Plan Testing - IRR.BC.4

  The disaster recovery plan is tested regularly to ensure its effectiveness.

• Communication Plan for Disruptions - IRR.BC.5

  A communication plan is in place to inform stakeholders during and after a business disruption or cybersecurity incident.