Tags: Sophos Cyber Security tools
Links: (https://assessment.gse.sophos.com/nist/assessment)
Asset Management
Assess organizational assets, such as data, personnel, devices, systems, and facilities, to determine if they are managed in a manner consistent with their level of importance to the cybersecurity of the organization.
1
Does your organization inventory physical devices and systems (e.g., computers, mobile devices, networked medical devices, virtual machines, etc..)?
2
Do you inventory software platforms and applications (e.g., Microsoft Windows, OS X, Linux, Amiga OS X, etc..)?
3
Are your communication and data flows documented?
4
Do you catalog externally owned or operated communication systems (e.g., computing devices, wireless networks, and cloud services)?
5
Do you prioritize resources (e.g., hardware devices, data, and software) based on their impact to cybersecurity?
6
Has your organization outlined cybersecurity roles and responsibilities for all employees and third-parties (e.g., suppliers, customers, and contractors)?
Business Environment
Identify and prioritize the organization’s mission, objectives, stakeholders, and activities to inform the cybersecurity roles, responsibilities, and risk management decisions.
1
Have you identified your organization’s function in the supply chain?
2
Have you identified your position in critical infrastructure and the industry?
3
Does your organization regularly update information on its mission, objectives and activities?
4
Have you identified dependencies and critical functions for the delivery of critical services?
5
Do you have recovery requirements and protocols in place to support critical services?
Governance
Assess the organization’s policies and procedures to manage and monitor the operational, environmental, and regulatory requirements to inform and manage the organization’s cybersecurity risk.
1
Has your organization implemented security controls for Information security?
2
Do you regularly coordinate and align internal and external roles and responsibilities?
3
Does your organization abide by legal and regulatory requirements?
4
Does your organization adhere to governance and risk management processes?
Risk Assessment
Assess the organization’s cybersecurity risk as it pertains to the organizational operations, assets, and individuals.
1
Have you identified and documented asset vulnerabilities?
2
Do you receive and share threat and vulnerability information with external organizations?
3
Does your company document internal and external threats?
4
Does your organization regularly identify potential business impacts (e.g., likelihood and potential harm to the organization resulting from unauthorized access)?
5
Have you evaluated risks of threats, vulnerabilities and potential business impact?
6
Are you able to prioritize and respond to identified cybersecurity risks?
Risk Management Strategy
Assess the organization’s established priorities, constraints, risk tolerances, and assumptions, which are used to support the organization’s risk decisions.
1
Are your risk management processes approved by organizational stakeholders?
2
Have you assessed your organization’s overall risk tolerance?
3
Do processes exist to determine the acceptable level of risk for your organization’s cybersecurity threats?
Access Control
Assesses the organizational processes to limit access to assets and facilities to authorized users, devices, activities, and transactions.
1
Does your organization manage identities and credentials for authorized devices and users?
2
Does your organization manage and protect physical access to assets?
3
Does your organization manage remote access?
4
Does your organization manage access permissions (includes least privilege and separation of duties)?
5
Does organization protect network integrity and utilizes appropriate network segregation?
Awareness and Training
Assesses the adequacy of the cybersecurity awareness education and training necessary for personnel and partners to perform their information security related duties and responsibilities.
1
Are your organization’s users informed and trained regularly on cybersecurity best practices?
2
Do all privileged users in your organization understand their roles and responsibilities?
3
Do all third party stakeholders understand their roles and responsibilities?
4
Do senior executives understand their roles and responsibilities?
5
Do physical and information security personnel understand their roles and responsibilities?
Data Security
Appropriately manage all information and records at the organization in accordance with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.
1
Do you protect data at rest from unauthorized access?
2
Do you protect data in transit from interception or unauthorized recipients?
3
Do you formally manage assets during removal, transfer, and disposition?
4
Does your company ensure adequate capacity to maintain data availability?
5
Do you protect against sensitive (accidental or intentional) data leaks?
6
Do you regularly verify software, firmware, and information integrity?
7
Do you maintain separation between the development and testing environment(s), and the production environment?
Information Protection Processes and Procedures
The organization’s security policies, processes, and procedures are maintained and adequately manage protection of information systems and assets.
1
Do you create and maintain baseline configuration of information technology and systems that control production and distribution?
2
Do you manage systems through a System Development Life Cycle?
3
Does your organization control system configuration changes?
4
Does your organization maintain and test information backup procedures?
5
Do you adhere to policies and regulations for the physical operating environment for organizational assets?
6
Does your organization destroy data in accordance with policy?
7
Does your organization continuously improve its protection processes?
8
Does your organization share the effectiveness of technology used for protection of systems and assets with all stakeholders?
9
Does your organization have a procedure in place to manage response and recovery plans?
10
Does your organization routinely test response and recovery plans?
11
Does your organization include cybersecurity elements in human resources practices?
12
Have you developed and implemented a vulnerability management plan?
Maintenance
Maintenance and repairs are performed for all industrial controls and information system components.
1
Do you use approved and controlled tools to timely perform, repair, and log maintenance and repairs
2
Does your company approve, log, and perform all remote maintenance of organizational assets to prevent unauthorized access?
Protective Technology
The security and resilience of systems and assets are managed through the use of technology security solutions that are consistent with related policies, procedures, and agreements.
1
Does your organization create, document, implement, and review audit/log records?
2
Does your organization protect and restrict use of removable media?
3
Do you limit access systems and assets to the minimal level necessary to maintain normal functions?
4
Do you have strategies in place to protect communications and control networks?
Anomalies and Events
Assesses the organization’s ability to detect unusual activity in a timely manner and understand potential impacts of cyber events.
1
Do you establish and manage baseline network operations and data flows for users and systems?
2
Does your organization analyze detected events to understand attack targets and methods?
3
Does your organization determine the impact of detected events?
4
Does your organization regularly establish incident alert levels?
Security Continuous Monitoring
Assesses organizational processes for routinely monitoring information systems and assets to identify cybersecurity events and continuously test the effectiveness of current preventative measures.
1
Does your organization monitor network activity to detect cybersecurity events?
2
Does your organization monitor the physical environment to detect cybersecurity events?
3
Does your organization monitor personnel activity to detect cybersecurity events?
4
Does your organization monitor for malicious code?
5
Does your organization monitor for unauthorized mobile code?
6
Do you use any external service provider’s activity to detect cybersecurity events?
7
Do you monitor access by unauthorized personnel, connections, devices, and software?
8
Does your organization monitor for system vulnerabilities by leveraging regular vulnerability scans?
Detection Processes
Assess the maintenance and testing of an organization’s detection processes and procedures to ensure timely and adequate awareness of unusual events.
1
Do you practice accountability for detection by having well-defined personnel roles and responsibilities?
2
Do you practice compliance with applicable organizational requirements for detection activities?
3
Does your organization regularly test detection processes?
4
Does your company pass communication of information pertaining to cyber events to appropriate parties?
5
Does your organization continuously modify and improve detection processes used?
Response Planning
Assesses the organization’s ability to execute and maintain response processes and procedures for responding timely to detected cybersecurity events.
1
Can your organization execute a response plan during or after a detected cyber event?
Communications
Assesses the organization’s coordination of response activities with the appropriate internal and external stakeholders, including support from law enforcement agencies, as applicable.
1
Does your organization provide personnel training regarding roles and order of operations?
2
Does your organization provide reporting of events according to established criteria?
3
Does your organization share information in accordance with response plans?
4
Does your organization have a process to coordinate execution of response plans?
5
Does your organization voluntary share information with external stakeholders to promote cybersecurity awareness?
Analysis
Conducts analyses of response processes to ensure appropriate response, and to support recovery activities.
1
Is your organization able to investigate notifications from detection systems?
2
Does your organization throughly understand the impact of an incident?
3
Can your organization perform forensics on discovered incidents?
4
Are you able to categorize incidents in accordance with response plans?
5
Do you have processes to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)?
Mitigation
Has processes to contain, mitigate the effects of, and eradicate a cybersecurity event.
1
Does your organization have the processes in place to contain events associated with a cybersecurity incident?
2
Is your organization able to mitigate events associated with a cybersecurity incident?
3
Does your organization mitigate or document the acceptance of risks for newly identified vulnerabilities?
Improvements
Utilizes lessons learned from detection and response activities to improve processes.
1
Does your organization incorporate lessons learned from past incidents?
2
Does your organization review past incidents regularly to improve processes associated with the changing cyber landscape?
Recovery Planning
Assesses the organizational ability to execute and maintain recovery processes and procedures to ensure timely response to detected cybersecurity events.
1
Can your organization execute a recovery plan during or after an event?
Improvements
Assesses the organization’s processes to improve recovery plans by incorporating lessons learned.
1
Does your organization incorporate lessons learned from past incidents?
2
Does your organization provide regular updates to processes to meet the needs of a changing cyber landscape?
Communications
Assesses the organizations processes to coordinate restoration activities with internal and external parties, including coordinating centers, Internet Service Providers, cyber-attack victims, and vendors.
1
Does your organization manage public relations?
2
Does your organization have a plan in place to repair reputation in the event of an incident?
3
Can your organization effectively communicate recovery activities internally?
Organizational Context
Evaluate the specific conditions and requirements of the organization, including regulatory demands and operational environments, which shape its cybersecurity practices and objectives.
1
Is your organizational mission understood and informs cybersecurity risk management by identifying risks that may impede that mission
2
Has your organization identified the relevant internal stakeholders and their cybersecurity-related expectations (e.g., performance and risk expectations of officers, directors, and advisors; cultural expectations of employees)?
3
Has your organization aligned the organization’s cybersecurity strategy with legal, regulatory, and contractual requirements?
4
Has your organization determined assets and business operations that are vital to achieving the organizations mission objectives and the potential impact of a loss (or partial loss) of such operations?
5
Has your organization created an inventory of the dependencies on external resources (e.g., facilities, cloud-based hosting providers) and their relationships to organizational assets and business functions?
Risk Management Strategy
Prioritizes and addresses cybersecurity risks based on the organization’s risk tolerance and business priorities, ensuring strategic allocation of resources for effective risk mitigation.
1
Has your organization established measurable objectives for cybersecurity risk management?
2
Has your organization determined and communicate risk appetite statements that convey expectations about the appropriate level of risk for the organization?
3
Has your organization aggregated and managed cybersecurity risks alongside other enterprise risks?
4
Has your organization created a criteria for accepting and avoiding cybersecurity risk for various classifications of data?
5
Has your organization determined how to update senior executives, directors, and management on the organization’s cybersecurity posture at agreed-upon intervals?
6
Has your organization established a criteria for using a quantitative approach to cybersecurity risk analysis?
7
Has your organization defined and communicated guidance for identifying opportunities and including them in risk discussions?
Roles, Responsibilities, and Authorities
Defines and communicates the duties and powers of organizational roles clearly, ensuring that all team members understand their responsibilities in maintaining cybersecurity.
1
Does your organizations leaders (e.g., directors) agree on their roles and responsibilities in developing, implementing, and assessing the organization’s cybersecurity strategy?
2
Has your organization documented who is responsible and accountable for cybersecurity risk management activities and how those teams and individuals are to be consulted and informed?
3
Has your organization evaluted and conducted periodic management reviews to ensure that those given cybersecurity risk management responsibilities have the necessary authority?
4
Does your organization integrate cybersecurity risk management considerations into human resources processes (e.g., personnel screening, onboarding, change notification, offboarding)?
Policy
Develops and implements policies that dictate the organization’s cybersecurity governance and risk management practices, providing a framework for action and compliance.
1
Has your organization created, and maintained an understandable, usable risk management policy with statements of management intent, expectations, and direction?
2
Does your organization update policy based on periodic reviews of cybersecurity risk management results to ensure that policy and procedures adequately maintain risk at an acceptable level?
Oversight
Involves continuous monitoring and reassessment of cybersecurity measures to align with the organization’s strategic goals and compliance standards.
1
Does your organization measure how well the risk management strategy and risk results have helped leaders make decisions and achieve organizational objectives
2
Has your organization reviewed audit findings to confirm whether the existing cybersecurity strategy has ensured compliance with internal and external requirements?
3
Does your organization collect and communicate metrics on cybersecurity risk management with senior leadership?
Cybersecurity Supply Chain Risk Management
Expands the focus on securing and monitoring all external entities connected to the organization’s supply chain, emphasizing the criticality of protecting shared and integrated systems.
1
Has your organization established a strategy that expresses the objectives of the cybersecurity supply chain risk management program?
2
Has your organization identified one or more specific roles or positions that will be responsible and accountable for planning, resourcing, and executing cybersecurity supply chain risk management activities?
3
Has your organization identifed areas of alignment and overlap with cybersecurity and enterprise risk management?
4
Has your organization developed a criteria for supplier criticality based on the sensitivity of data processed or possessed by suppliers?
5
Has your organization established security requirements for suppliers with their criticality level and potential impact if compromised?
6
Has your organization performed thorough due diligence on prospective suppliers that is consistent with procurement planning, criticality, and complexity of each supplier relationship?
7
Does your organization monitor critical suppliers to ensure that they are fulfilling their security obligations throughout the supplier relationship lifecycle?
8
Does your organization define and use rules and protocols for reporting incident response and recovery activities and the status between the organization and its suppliers?