All Episodes
Displaying 31 - 60 of 113 in total
GV.SC-03 - Integrating Supply Chain Risks into Broader Frameworks
GV.SC-03 integrates supply chain risk management into the organization’s broader cybersecurity and enterprise risk management (ERM) frameworks, ensuring a unified appr...
GV.SC-04 - Prioritizing Suppliers by Criticality
GV.SC-04 requires organizations to identify all suppliers and rank them based on their criticality to operations, considering factors like data sensitivity or system a...
GV.SC-05 - Setting Cybersecurity Requirements for Suppliers
GV.SC-05 establishes and prioritizes cybersecurity requirements for suppliers, embedding them into contracts and agreements to enforce consistent security standards. T...
GV.SC-06 - Conducting Due Diligence Before Supplier Partnerships
GV.SC-06 mandates thorough planning and due diligence before engaging suppliers or third parties, assessing their cybersecurity capabilities and risks. This proactive ...
GV.SC-07 - Managing Supplier Risks Throughout Relationships
GV.SC-07 ensures ongoing understanding and management of risks from suppliers and third parties throughout their relationship with the organization. This involves docu...
GV.SC-08 - Including Suppliers in Incident Response Planning
GV.SC-08 integrates key suppliers and third parties into the organization’s incident planning, response, and recovery efforts, ensuring coordinated action during cyber...
GV.SC-09 - Monitoring Supply Chain Security Practices
GV.SC-09 embeds supply chain security practices into cybersecurity and enterprise risk management, ensuring consistent oversight from acquisition to disposal of produc...
GV.SC-10 - Planning for Post-Partnership Security
GV.SC-10 ensures that supply chain risk management plans address post-relationship activities, such as terminating supplier access or managing data disposal. This invo...
ID.AM-01 - Tracking Organizational Hardware Assets
ID.AM-01 requires organizations to maintain comprehensive inventories of all hardware assets under their control, including IT, IoT, OT, and mobile devices. This ongoi...
ID.AM-02 - Managing Software and Service Inventories
ID.AM-02 focuses on maintaining detailed inventories of software, services, and systems, covering everything from commercial applications to cloud-based offerings and ...
ID.AM-03 - Mapping Network Communication Flows
ID.AM-03 involves maintaining up-to-date representations of authorized network communications and data flows, both within the organization and with external entities. ...
ID.AM-04 - Cataloging Supplier-Provided Services
ID.AM-04 requires organizations to keep inventories of supplier-provided services, such as IaaS, PaaS, SaaS, and APIs, used in their operations. This tracking ensures ...
ID.AM-05 - Prioritizing Assets by Importance
ID.AM-05 involves prioritizing assets—data, hardware, software, and services—based on their classification, criticality, resource needs, and mission impact. This proce...
ID.AM-07 - Inventorying Sensitive Data and Metadata
ID.AM-07 requires maintaining inventories of designated data types—like PII, health information, or intellectual property—along with metadata such as provenance and ow...
ID.AM-08 - Managing Assets Across Their Lifecycle
ID.AM-08 focuses on managing all assets—systems, hardware, software, services, and data—across their entire life cycles, from deployment to disposal. This includes int...
ID.RA-01 - Identifying and Recording Asset Vulnerabilities
ID.RA-01 involves identifying, validating, and documenting vulnerabilities in organizational assets, including software, hardware, and facilities. This process uses to...
ID.RA-02 - Leveraging Cyber Threat Intelligence
ID.RA-02 focuses on gathering cyber threat intelligence from forums, advisories, and reputable sources to stay informed about current and emerging threats. This intell...
ID.RA-03 - Recognizing Internal and External Threats
ID.RA-03 involves identifying and documenting threats—both internal, like insider risks, and external, like cyberattacks—that could impact the organization. This proce...
ID.RA-04 - Assessing Threat Impact and Likelihood
ID.RA-04 requires assessing and documenting the likelihood and potential impacts of threats exploiting identified vulnerabilities, such as data breaches or system fail...
ID.RA-05 - Understanding Inherent Cybersecurity Risks
ID.RA-05 uses data on threats, vulnerabilities, likelihoods, and impacts to assess inherent risk—the risk before controls are applied—and prioritize responses. This in...
ID.RA-06 - Prioritizing Risk Response Strategies
ID.RA-06 involves selecting, prioritizing, and planning risk responses—such as mitigation, acceptance, or transfer—based on assessed risks, then tracking and sharing p...
ID.RA-07 - Managing Changes and Exceptions in Risk
ID.RA-07 focuses on managing changes to systems or processes and exceptions to policies, assessing their risk impacts, and documenting them for oversight. This include...
ID.RA-08 - Handling Vulnerability Disclosures
ID.RA-08 establishes processes for handling vulnerability disclosures from suppliers, customers, or government sources, ensuring timely analysis and response. This inc...
ID.RA-09 - Verifying Hardware and Software Integrity
ID.RA-09 requires assessing the authenticity and integrity of hardware and software before purchase or deployment, ensuring they are free from tampering or vulnerabili...
ID.RA-10 - Assessing Critical Suppliers Before Acquisition
ID.RA-10 involves conducting risk assessments of critical suppliers before engaging them, evaluating their cybersecurity practices and supply chain risks. This ensures...
ID.IM-01 - Learning from Cybersecurity Evaluations
ID.IM-01 focuses on identifying improvements to cybersecurity risk management through evaluations, such as self-assessments or third-party audits. These reviews consid...
ID.IM-02 - Improving Through Security Tests and Exercises
ID.IM-02 identifies improvements from security tests and exercises, like penetration testing or incident response simulations, often involving suppliers and third part...
ID.IM-03 - Enhancing Processes from Operational Insights
ID.IM-03 seeks improvements from the day-to-day execution of cybersecurity processes, procedures, and activities, capturing lessons learned in real-world operations. T...
ID.IM-04 - Strengthening Incident Response Plans
ID.IM-04 involves establishing, sharing, and maintaining cybersecurity plans—like incident response or disaster recovery—that impact operations, with a focus on contin...
PR.AA-01 - Managing Identities and Credentials
PR.AA-01 focuses on the management of identities and credentials for all authorized entities—users, services, and hardware—within the organization’s control. This invo...
