1 / 8

NIST CHECKLIST

<br>The National Institute of Standards and Technology (NIST) provides a variety of checklists and guidelines for different aspects of information security. The specific checklist you might be referring to depends on the context or the area of security you are interested in. Here's a general approach with some commonly used NIST checklists:

Download Presentation

NIST CHECKLIST

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Functions Functions Specified by NIST Implementation of Function Expected Results Identify ID.AM: Asset Management To reflect changes in the infrastructure, ensure that the organization establishes and consistently updates an inventory encompassing all physical devices and systems. Check if the organization established and upheld a record of all software platforms and applications. Ensure that the inventory is constantly refreshed to reflect alterations in software assets. Confirm that the organization mapped its communication and data flows to comprehend information transmission and storage and regularly reviewed and updated these maps. Check that the organization compiled all external information systems interacting with its network or data and consistently updated the catalog to reflect any changes in these external systems. Ensure that the organization categorizes its resources according to their classification, criticality, and business value and establishes criteria for prioritizing them. The organization conducts an inventory of physical devices and systems. Documentation detailing the inventory records of physical devices and systems, including the procedures for maintaining and updating this inventory, should be created. ID.AM.1 The organization maintains an inventory of software platforms and applications in use. Documents covering inventory records of software platforms and applications, along with protocols detailing the maintenance and updating procedures for the software inventory. Provide documentation illustrating communication and data flow diagrams accompanied by an outline of the mapping and updating process. ID.AM.2 Communication pathways and data flows within the organization are charted or mapped out. ID.AM.3 External information systems are listed or inventoried. Provide an inventory of external information systems along with documentation detailing the procedure for cataloging and updating these external systems. ID.AM.4 Assets such as hardware, devices, data, time, personnel, and software are ranked according to their classification, criticality, and business significance to determine their prioritization. Roles and responsibilities in cybersecurity are defined for the entire workforce and external stakeholders, including suppliers, customers, and partners. Document the resource categorization and prioritization, including documentation specifying the criteria employed for prioritization. ID.AM.5 Ensure that cybersecurity roles and responsibilities have been outlined for all employees and third-party stakeholders and that they have been documented and communicated. Documentation outlining cybersecurity roles and responsibilities should be kept alongside communication records and training on these specific roles and responsibilities. ID.AM.6 www.infosectrain.com I sales@infosectrain.com

  2. Funtions Functions Specified by NIST Implementation of Function Expected Results Identify ID.BE: Business Environment The organization recognized and conveyed its role within the supply chain. Verify that the organization has acknowledged its position within the supply chain and has successfully communicated these designated roles internally and to relevant stakeholders. Documentation delineating the organization’s position in the supply chain, along with records of communications related to these supply chain roles. ID.BE.1 The organization identified and communicated its position within critical infrastructure and industry sectors. Confirm that the organization identified its role in critical infrastructure and industry sectors and effectively communicated this information internally and to relevant parties. Provide documentation detailing the organization’s placement in critical infrastructure and industry sectors, alongside records of communications concerning this positioning within critical infrastructure and industry sectors. Documentation outlining the priorities for the organization’s mission, objectives, and activities, along with records of communications about these priorities. ID.BE.2 The organization has set and conveyed priorities for its mission, objectives, and activities. Confirm whether the organization has set, documented, and efficiently communicated its priorities for its mission, objectives, and activities to relevant personnel and stakeholders. ID.BE.3 Ensure that dependencies and essential functions necessary for providing critical services are identified and established. Ensure the organization has identified, documented, and regularly reviewed dependencies and essential functions for delivering critical services. Documentation listing dependencies, basic procedures, and records documenting regular reviews and updates should be maintained. ID.BE.4 Resilience must facilitate delivering critical services determined for all operational conditions (such as under stress or attack, during recovery, and normal operations). Ensure that resilience requirements for essential services across various operational states- such as during attack, recovery, and normal operations- have been established, documented, and integrated into the organization’s processes and procedures. Document resilience requirements for critical services in diverse operational states, integrated into relevant processes and procedures. ID.BE.5 www.infosectrain.com I sales@infosectrain.com

  3. Functions Functions Specified by NIST Implementation of Function Expected Results Identify ID.GV: Governance A cybersecurity policy for the organization has been created and shared. Confirm the existence of a comprehensive cybersecurity policy document that covers roles, responsibilities, compliance, and cybersecurity measures, and ensure there’s a documented procedure for sharing it with all employees and relevant external parties. The cybersecurity policy document includes records indicating its distribution, employee acknowledgment receipts, briefing minutes, training materials, and attendance records demonstrating policy communication. ID.GV.1 Roles and responsibilities in cybersecurity are synchronized and matched with internal positions and external partners. Verify that cybersecurity roles and responsibilities within the organization are clearly defined, that there is documented coordination between internal and external roles, and that these roles and responsibilities are regularly reviewed and updated. Job descriptions detailing cybersecurity responsibilities, along with contracts or Service Level Agreements (SLAs) with third parties delineating cybersecurity roles, in addition to documented records of meetings or communications related to role coordination. Consolidate compliance checklists or matrices outlining requirements, documented procedures and controls for compliance, and training logs and materials covering legal and regulatory requirements. ID.GV.2 The organization comprehends and effectively handles cybersecurity legal and regulatory obligations, encompassing responsibilities for privacy and civil liberties. Identify and ensure compliance with all pertinent legal and regulatory requirements. Implement policies and procedures to manage adherence while verifying consistent training and updates on changes within these laws and regulations. ID.GV.3 Governance and risk management procedures effectively manage cybersecurity risks. Assess the alignment of risk management governance with cybersecurity risks, review procedures for identifying and mitigating cybersecurity risks, and confirm the integration of these risks into the organization’s overall risk management approach. Consolidate risk management policies and procedures, risk assessment reports, risk treatment plans, and meeting minutes or reports demonstrating the incorporation of cybersecurity risk into the enterprise risk management framework. ID.GV.4 www.infosectrain.com I sales@infosectrain.com

  4. Functions Functions Specified by NIST Implementation of Function Expected Results Identify ID.RA: Risk Assessment Identify and document vulnerabilities related to assets. Verify the existence of an asset inventory,and ensure regular performance of vulnerability scans, and documentation and evaluation of identified vulnerabilities. Evaluate the organization’s involvement in cyber threat intelligence-sharing platforms, examine the procedure for receiving and distributing threat intelligence, and assess how the acquired intelligence influences security practices. Confirm the existence of a threat identification methodology, review documented records of identified threats, and ensure comprehensive consideration of internal and external threats. Verify the presence of a procedure for assessing potential threat impacts, evaluate the probability of threat occurrence, and examine the integration of these assessments into the overarching risk management strategy. Evaluate the incorporation of threat, vulnerability, impact, and likelihood data into the risk assessment procedure, ensure the completion of comprehensive risk assessments integrating these elements, and review the process of updating and reflecting this information in risk documentation. Confirm the presence of documented risk responses, examine the criteria used to prioritize these responses, and ensure the risk response process remains adaptable and responsive to shifts in the risk environment. Create a comprehensive asset inventory, vulnerability scan reports, and documented assessments of identified vulnerabilities. ID.RA.1 Information on cyber threats is acquired from forums and various sources for intelligence gathering. Evidence of membership in information-sharing forums, with records of received threat intelligence and documented utilization of intelligence within the organization’s cybersecurity strategy, should be present. ID.RA.2 Internal and external threats are recognized and recorded. Consolidate threat assessment reports or logs, documentation detailing the threat identification process, and records of identified internal and external threats. ID.RA.3 Potential consequences for the business, and their probabilities are determined. Consolidate business impact analysis reports, documentation of probability assessments, and risk analysis reports that combine impact and likelihood assessments. ID.RA.4 Risk is assessed by considering threats, vulnerabilities, probabilities, and impacts. Merge comprehensive risk assessment reports with risk matrices or dashboards displaying the amalgamation of these elements alongside change logs or updates reflecting the evolution of risk assessments over time. ID.RA.5 Identify and rank risk responses based on priority. Consolidate risk response plans or procedures, documentation outlining the prioritization of risk responses, and records demonstrating the implementation and modifications of risk responses. ID.RA.6 www.infosectrain.com I sales@infosectrain.com

  5. Functions Functions Specified by NIST Implementation of Function Expected Results Identify ID.RM: Risk Management Strategy Organizational stakeholders establish, manage, and consent to the risk management processes in place. Validate the presence of established formal procedures for managing risks within the organization.  Examine documentation to ensure a well-defined and widely communicated risk management process.  Verify stakeholder involvement in risk management through meeting records or documented decisions.  Confirm clear assignment and comprehension of roles and responsibilities related to risk management.  Evaluate the mechanisms used to monitor and review the ongoing management of the risk process. Examine if there’s a formal declaration or policy outlining the organization’s risk tolerance, ensuring clear communication and understanding of these levels among those engaged in risk-related decision-making, while reviewing records referencing risk tolerance in decision processes. Consolidate risk management policy and procedure documents, meeting minutes reflecting stakeholder engagement, outlining roles and responsibilities for risk management, and records detailing periodic reviews and updates to the risk management process. ID.RM.1 The organization determines and explicitly communicates its risk tolerance. Consolidate official documentation outlining the organization’s risk tolerance, supporting evidence of communicated risk tolerance (e.g., emails, training materials), and decision-making records demonstrating the integration of risk tolerance as a factor. ID.RM.2 www.infosectrain.com I sales@infosectrain.com

  6. Functions Specified by NIST Implementation of Function Expected Results Identify ID.SC: Supply Chain Risk Management The organization’s stakeholders identify, establish, assess, manage, and mutually agree upon processes for managing cyber supply chain risks. Ensure documentation and implementation of cyber supply chain risk management (C-SCRM) processes, confirming stakeholder consensus and understanding, reviewing mechanisms for supply chain risk assessment and management while verifying stakeholder engagement in developing and maintaining C-SCRM processes. Confirm the existence of a comprehensive list detailing all suppliers and third-party partners and their provided services or components, coupled with a documented risk assessment process for these entities; prioritize suppliers based on the criticality of their service or component to the organization. Consolidate C-SCRM policies and procedures, records demonstrating stakeholder agreement and involvement (e.g., meeting minutes or signed acknowledgments), and supply chain-related risk assessment documentation. ID.SC.1 The cyber supply chain risk assessment process identifies, prioritizes, and evaluates suppliers and third-party partners providing information systems, components, and services. Agreements with suppliers and third- party partners are employed to enact suitable measures to fulfill the goals of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan. Combine the inventory of suppliers and third- party partners, cyber supply chain risk assessment reports, and documented evidence detailing the prioritization of suppliers according to assessed risks. ID.SC.2 Examine contracts to verify the inclusion of cybersecurity requisites consistent with the organization’s cybersecurity program, ensure that clauses are present outlining Cyber Supply Chain Risk Management (C-SCRM) objectives, and confirm service level agreements (SLAs) that articulate cybersecurity expectations. Ensure regular assessments of suppliers and third-party partners align with contractual obligations, reviewing the methods and frequency of these evaluations and verifying the existence of established processes to address identified issues or gaps. Consolidate copies of contracts containing cybersecurity clauses, Service Level Agreements (SLAs) specifying cybersecurity requirements, and a Cyber Supply Chain Risk Management (C-SCRM) plan delineating the contractual measures to be implemented. ID.SC.3 Regular assessments, including audits, test outcomes, or alternative evaluations, are conducted on suppliers and third-party partners to verify their compliance with contractual obligations. Consolidate audit reports, test results, or evaluation documents related to suppliers and third-party partners alongside schedules and procedures for regular assessments while maintaining records of subsequent actions taken upon identification of issues. Combine incident response and recovery plans outlining roles and responsibilities for suppliers and third parties, test plans and records involving these entities, and after-action reports or improvement plans resulting from joint response and recovery testing. ID.SC.4 Response and recovery planning and testing are carried out in collaboration with suppliers and third-party providers. Evaluate the integration of suppliers and third-party providers within the organization’s incident response and recovery plans, reviewing test plans and records to confirm their inclusion, while assessing the response and recovery plans’ effectiveness via testing documentation. ID.SC.5 www.infosectrain.com I sales@infosectrain.com

More Related