Information Security Management

The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.

The organization’s current cybersecurity risks are understood.

• Asset Management (ID.AM): Assets (e.g., data, hardware, software, systems, facilities, internal/external services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.

• Risk Assessment (ID.RA): The cybersecurity risk to the organization, assets, and individuals is understood by the organization.

  1. Vulnerabilities in assets are identified, validated, and recorded.
  2. Processes for receiving, analyzing, and responding to

  vulnerability disclosures are established.

• Improvement (ID.IM): Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions.

Safeguards to manage the organization’s cybersecurity risks are used

• Identity Management, Authentication, and Access Control (PR.AA):

  Access to physical and logical assets is limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access. What information employees should or do have access to.

  1. Identities and credentials for authorizes users, services and hardware are managed by the organization.
  2. Require multifactor authentication.
  3. Restrict sensitive information access to only those employees who need it to do their jobs.
  4. requiring multi-factor authentication on all accounts that offer it and consider using password managers to help you and your staff generate and protect strong passwords. (PR.AA-03)
  5. changing default manufacturer passwords. (PR.AA-01)
  6. regularly updating and patching software and operating systems. Enable automatic updates to help you remember. (PR.PS-02)
  7. regularly backing up your data and testing your backups. (PR.DS-11)
  8. configuring your tablets and laptops to enable full-disk encryption to protect data. (PR.DS-01)
• Data Security (PR.DS): Data are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information
  1. The confidentiality, integrity, and availability of data-at-rest are protected.
  2. Backups of data are created, protected, maintained, and tested.
• Assess the timeliness, quality, and frequency of your company’s cybersecurity training for employees. (PR.AT-01/02)
• Communicate to your staff how to recognize common attacks, report attacks or suspicious activity, and perform basic cyber hygiene tasks. (PR.AT-01/02)
• Platform Security (PR.PS): The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability.
  1. Software is maintained, replaced, and removed commensurate with risk.

Possible cybersecurity attacks and compromises are found and analyzed.

• Continuous Monitoring (DE.CM): Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events

  1. The physical environment is monitored to find potentially adverse events
  2. Asess your computing technologies and external services for deviations from

  expected or typical behavior. (DE.CM-06/09)

• Adverse Event Analysis (DE.AE): Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents

Actions regarding a detected cybersecurity incident are taken.

• Incident Analysis (RS.AN): Investigations are conducted to ensure effective response and support forensics and recovery activities Incident reports are triaged and validated (RS.MA-02)
• Assess the incident to determine its severity, what happened, and its root cause. (RS.AN-03, RS.MA-03)
• Activities are performed to prevent expansion of an event and mitigate its effects (RS.MI)
• Communicate a confirmed cybersecurity incident with all internal and external stakeholders (e.g., customers, business partners, law enforcement agencies, regulatory bodies) as required by laws, regulations, contracts, or policies.(RS.CO-02/03)

Assets and operations affected by a cybersecurity incident are restored.

• Incident Recovery Plan Execution (RC.RP): Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents
  • who within and outside your business has recovery responsibilities. (RC.RP-01)
• Assess what happened by preparing an after-action report—on your own or in consultation with a vendor/partner—that documents the incident, the response and recovery actions taken, and lessons learned. (RC.RP-06)
  • Assess the integrity of your backed-up data and assets before using them for restoration. (RC.RP-03)