Cyber Security - Identify

Question 1

ID.AM-1

Answer 1

Physical devices and systems within the organization are inventoried

Question 2

ID.AM-2

Answer 2

Software platforms and applications within the organization are inventoried

Question 3

ID.AM-3

Answer 3

Organizational communication and data flows are mapped

Question 4

ID.AM-4

Answer 4

External information systems are catalogued

Question 5

ID.AM-5

Answer 5

Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value

Question 6

ID.AM-6

Answer 6

Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established

Question 7

ID.BE-1

Answer 7

The organization’s role in the supply chain is identified and communicated

Question 8

ID.BE-2

Answer 8

The organization’s place in critical infrastructure and its industry sector is identified and communicated

Question 9

ID.BE-3

Answer 9

Priorities for organizational mission, objectives, and activities are established and communicated

Question 10

ID.BE-4

Answer 10

Dependencies and critical functions for delivery of critical services are established

Question 11

ID.BE-5

Answer 11

Resilience requirements to support delivery of critical services are established

Question 12

ID.GV-1

Answer 12

Organizational information security policy is established

Question 13

ID.GV-2

Answer 13

Information security roles & responsibilities are coordinated and aligned with internal roles and external partners

Question 14

ID.GV-3

Answer 14

Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed

Question 15

ID.GV-4

Answer 15

Governance and risk management processes address cybersecurity risks

Question 16

ID.RA-1

Answer 16

Asset vulnerabilities are identified and documented

Question 17

ID.RA-2

Answer 17

Threat and vulnerability information is received from information sharing forums and sources

Question 18

ID.RA-3

Answer 18

Threats, both internal and external, are identified and documented

Question 19

ID.RA-4

Answer 19

Potential business impacts and likelihoods are identified

Question 20

ID.RA-5

Answer 20

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Question 21

ID.RA-6

Answer 21

Risk responses are identified and prioritized

Question 22

ID.RM-1

Answer 22

Risk management processes are established, managed, and agreed to by organizational stakeholders

Question 23

ID.RM-2

Answer 23

Organizational risk tolerance is determined and clearly expressed

Question 24

ID.RM-3

Answer 24

The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis