Centro de Confianza y Seguridad
LegallyMail

Physical devices and systems within the organization are inventoried

Software platforms and applications are inventoried

Organizational communication and data flows are mapped

External information systems are catalogued

Resources are prioritized based on their classification, criticality, and business value

Cybersecurity roles and responsibilities are established

The organization's role in the supply chain is identified and communicated

The organization's place in critical infrastructure is identified

Priorities for organizational mission, objectives, and activities are established

Dependencies and critical functions are established

Resilience requirements to support delivery of critical services are established

Organizational cybersecurity policy is established and communicated

Cybersecurity roles and responsibilities are coordinated and aligned

Legal and regulatory requirements are understood and managed

Governance and risk management processes address cybersecurity risks

Asset vulnerabilities are identified and documented

Cyber threat intelligence is received from information sharing forums

Threats, both internal and external, are identified and documented

Potential business impacts and likelihoods are identified

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Risk responses are identified and prioritized

Risk management processes are established, managed, and agreed to

Organizational risk tolerance is determined and clearly expressed

The organization's determination of risk tolerance is informed by its role

Identities and credentials are issued, managed, verified, revoked, and audited

Physical access to assets is managed and protected

Remote access is managed

Access permissions and authorizations are managed

Network integrity is protected (e.g., network segregation)

Identities are proofed and bound to credentials

Users, devices, and assets are authenticated

All users are informed and trained on cybersecurity awareness

Privileged users understand their roles and responsibilities

Third-party stakeholders understand their roles and responsibilities

Senior executives understand their roles and responsibilities

Physical and cybersecurity personnel understand their roles

Data-at-rest is protected

Data-in-transit is protected

Assets are formally managed throughout removal, transfers, and disposition

Adequate capacity to ensure availability is maintained

Protections against data leaks are implemented

Integrity checking mechanisms verify software and information integrity

Development and testing environment(s) are separate from production

Integrity checking mechanisms verify hardware integrity

A baseline configuration of systems is created and maintained

A System Development Life Cycle to manage systems is implemented

Configuration change control processes are in place

Backups of information are conducted, maintained, and tested

Policy and regulations regarding the physical operating environment

Data is destroyed according to policy

Protection processes are improved

Effectiveness of protection technologies is shared

Response and recovery plans are in place and managed

Response and recovery plans are tested

Cybersecurity is included in human resources practices

A vulnerability management plan is developed and implemented

Maintenance and repair of assets are performed and logged

Remote maintenance of assets is approved, logged, and performed

Audit/log records are determined, documented, implemented, and reviewed

Removable media is protected and its use restricted

The principle of least functionality is incorporated

Communications and control networks are protected

Mechanisms are implemented to achieve resilience requirements

A baseline of network operations and expected data flows is established

Detected events are analyzed to understand attack targets and methods

Event data are collected and correlated from multiple sources

Impact of events is determined

Incident alert thresholds are established

The network is monitored to detect potential cybersecurity events

The physical environment is monitored to detect cybersecurity events

Personnel activity is monitored to detect cybersecurity events

Malicious code is detected

Unauthorized mobile code is detected

External service provider activity is monitored

Monitoring for unauthorized personnel, connections, devices, and software

Vulnerability scans are performed

Roles and responsibilities for detection are well defined

Detection activities comply with all applicable requirements

Detection processes are tested

Event detection information is communicated

Detection processes are continuously improved

Response plan is executed during or after an incident

Personnel know their roles and order of operations

Incidents are reported consistent with established criteria

Information is shared consistent with response plans

Coordination with stakeholders occurs

Notifications from detection systems are investigated

The impact of the incident is understood

Forensics are performed

Incidents are categorized consistent with response plans

Processes are established to receive, analyze and respond to vulnerabilities

Incidents are contained

Incidents are mitigated

Newly identified vulnerabilities are mitigated or documented as accepted risks

Response plans incorporate lessons learned

Response strategies are updated

Recovery plan is executed during or after a cybersecurity incident

Recovery plans incorporate lessons learned

Recovery strategies are updated

Public relations are managed

Reputation is repaired after an incident

Recovery activities are communicated to stakeholders