A reduction in an organization's ability to produce goods or services that generate value. Examples of productivity loss include system downtime, data corruption, and reduced workforce productivity.
The resources expended while responding to an adverse event. This includes the cost of incident response activities, such as forensic analysis, legal fees, and public relations efforts.
The cost of replacing or repairing an affected asset. This includes the direct costs associated with replacing hardware or software, as well as the indirect costs of business interruption and lost productivity.
The cost of legal or regulatory fines and judgements resulting from an adverse event. This includes penalties assessed by regulatory bodies or courts of law, as well as the cost of defending against legal claims.
The cost of missed opportunities or sales due to the diminishing corporate image following the event. This includes the impact on brand reputation, customer loyalty, and investor confidence.
Critical Liabilities: The impact on the organization's productivity resulting from a loss of critical information.
Cost Liabilities: The cost of the asset and the cost of replacing a compromised asset.
Sensitivity Liabilities: The cost associated with the disclosure of sensitive information, which can be further divided into four categories:
Embarrassment: The disclosure states the inappropriate behavior of the management of the company.
Competitive Advantage: The loss of competitive advantage tied to the disclosure.
Legal/Regulatory: The cost associated with possible law violations.
General: Other losses tied to the sensitivity of data.
Ensuring that information is only accessed by authorized personnel.
Maintaining the accuracy and consistency of data by preventing unauthorized changes.
Ensuring that information and system resources are accessible to authorized personnel when needed.
Ensuring that information and system resources are accessible to authorized personnel when needed.
Verifying the identity of an entity or source of information to prevent unauthorized access.
Identifying the mission and business functions of the system.
Identifying system stakeholders and their priorities.
Determining the system's authorization boundaries.
Identifying the types of information processed, stored, and transmitted by the system.
Conducting or updating the system-level mission-based cyber risk assessment.
Defining and prioritizing the system security and privacy requirements.
Allocating system security and privacy requirements to the system and its environment.
Registering the system for management, accountability, coordination, and oversight purposes.
Documenting the system's characteristics.
Conducting the system security categorization and documenting the results in the security, privacy, and supply chain risk management plans in a manner consistent with the enterprise architecture and the risk management strategy.
Selecting, baselining, tailoring, and allocating controls to protect the system.
Documenting the controls in the system's security and privacy plans or equivalent documents.
Developing a continuous monitoring strategy for the system that reflects the risk management strategy.
Implementing and changing the controls in the system's security and privacy plans as needed.
Using applicable systems security and privacy engineering methodologies.
Updating plans as required to reflect the implementation.
Selecting an SCA or assessment team to conduct control assessments.
Developing security assessment plans (SAPs) and providing them to the SCA or assessment team to support test events, security, privacy, and supply chain risk assessments.
Conducting control assessments using automation, previous assessment results, engineering, and operational test events to the highest extent possible.
Documenting assessment results, findings, and recommendations in system assessment reports.
Taking remediation actions to address deficiencies in the controls implemented in the system and environment of operation.
Developing a plan of action and milestones (POA&M) detailing remediation plans for unacceptable risks in security and privacy assessment reports.
Making a risk determination that reflects the risk management strategy.
Developing an authorization package and an authorization decision document.
Approving or denying the authorization decision for the system or common controls.
Reporting all authorization decisions, significant vulnerabilities, and risks to organizational officials.
Continuing to monitor systems, controls, and testing.
Conducting control and risk assessments, impact analyses, and security reporting.
Updating risk management documents based on continued monitoring activities.
Developing and implementing a system disposal strategy if necessary.
This function helps organizations understand their cybersecurity risks and develop a risk management strategy.
Asset Management: All assets that enable the organization to achieve business purposes are identified and managed consistent with their importance to business objectives and the risk strategy.
Business Environment: The mission, objectives, stakeholders, and activities are understood and prioritized. This information is used to inform roles, responsibilities, and risk management decisions.
Governance: Policies, procedures, and processes to manage and monitor the organization's regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
Risk Assessment: The organization understands the cybersecurity risk to operations, assets, and individuals.
Risk Management Strategy: Priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions.
Supply Chain Risk Management: Priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has in place the processes to identify, assess and manage supply chain risks.
Supply Chain Risk Management: Priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has in place the processes to identify, assess and manage supply chain risks.
This function provides guidance on how to safeguard the organization's assets, including people, systems, and facilities.
Access Control: Access to assets and associated facilities is limited to authorized personnel, processes, or devices, and to authorized activities and transactions.
Awareness and Training: Personnel and partners are provided cybersecurity awareness education and are trained to perform their information security related duties and responsibilities consistent with related policies, procedures, and agreements.
Data Security: Information and records (data) are managed consistent with the risk strategy to protect the confidentiality, integrity, and availability of information.
Information Protection Processes and Procedures: Security policies, processes, and procedures are maintained and used to manage protection of information systems and assets.
Maintenance: Maintenance and repairs of control and information system components are performed consistent with policies and procedures.
Protective Technology: Technical security solutions are managed to ensure the security of systems and assets, consistent with related policies, procedures, and agreements.
This function provides guidance on how to detect cybersecurity threats and anomalies.
Anomalies and Events: Anomalous activity is detected in a timely manner and the potential impact of the activity is understood.
Security Continuous Monitoring: The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.
Detection Processes: Maintain and continue to test detection processes and protocols to ensure timely and adequate awareness of anomalous events.
Execute and maintain response processes and procedures, to ensure timely responses to detected cybersecurity events.
Communications: Response activities are coordinated with internal and external stakeholders to include external support from law enforcement agencies when necessary.
Analysis: Event and detection analysis is conducted to ensure adequate response and support recovery activities.
Mitigation: Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident.
Improvements: Response activities continue to improve by incorporating lessons learned from current and previous detection and response events.
Communication
Coordination
Technical aspects
Communications: Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, victims, and vendors. Communication plans are established to ensure that all stakeholders are informed of the restoration progress and that any issues or delays are promptly addressed. The communication plan should also include plans for media and public relations in the event of a major incident.
Access Control
Awareness and Training
Audit and Accountability
Configuration Management
Contingency Planning
Cybersecurity Risk Assessment
Data Security
Information Protection Processes and Procedures
Maintenance
Protective Technology
Risk Management
Security Assessment
Situational Awareness
System and Communications Protection
System and Information Integrity
Incident Response
Supply Chain Risk Management
External Participation
Recovery Planning
Communications
Personnel Security
Physical Protection
Identification and Authentication
Protecting Personally Identifiable Information (PII) and complying with relevant regulations: With the increasing amount of sensitive personal data being collected by organizations, it is crucial to protect this data from unauthorized access or disclosure. DLP solutions can help ensure that PII is properly protected and that the organization is in compliance with relevant regulations such as GDPR or CCPA.
Protecting Intellectual Property (IP) critical for the organization: IP is often one of the most valuable assets for an organization, and protecting it is essential to the organization's success. DLP solutions can help identify and protect critical IP assets by monitoring and controlling their flow within the organization.
Achieving data visibility in large organizations: In large organizations, it can be difficult to keep track of all the data being generated and stored. DLP solutions can help provide visibility into data flows and help identify areas where data is at risk of being lost or stolen.
Securing the mobile workforce and enforcing security in Bring Your Own Device (BYOD) environments: With the increasing trend towards remote work and the use of personal devices for work purposes, it is essential to ensure that data is properly secured and protected in these environments. DLP solutions can help enforce security policies and monitor data flows in BYOD environments.
Securing data on remote cloud systems: With more and more organizations adopting cloud-based systems for storing and processing data, it is essential to ensure that data is properly secured and protected in these environments. DLP solutions can help monitor data flows to and from cloud systems and prevent data loss or leakage.
The secure transfer of sensitive data is essential to prevent data loss or leakage during transmission. This can be achieved through the use of encryption technologies, secure file transfer protocols, and secure communication channels.
Devices with access to sensitive data must be secured to prevent unauthorized access or theft. This can be achieved through endpoint protection software, including antivirus software, firewalls, and intrusion detection/prevention systems.
When data is not being used, it should be stored securely to prevent theft or unauthorized access. This can be achieved through the use of encryption technologies, secure storage protocols, and access controls.
Monitoring data access and proper change controls are essential to preventing data loss or leakage. This can be achieved through user behavior analytics, access controls, and data loss prevention technologies.
Organizations must have protocols and policies in place to identify what data needs to be protected or not. This can be achieved through data classification, tagging, and data discovery technologies.
Technology must be in place to detect data leakage and suspicious data transfers. This can be achieved through the use of data loss prevention technologies, including endpoint data loss prevention, network data loss prevention, and cloud data loss prevention.
Insider Threats: Insider threats occur when internal users who have access to sensitive data intentionally or unintentionally compromise it. This can happen due to employees with malicious intent or careless employees who inadvertently move data outside of the organization.
External Threats: External threats are cyber attacks that target sensitive data. Attackers use various techniques to gain access to sensitive data, such as phishing, malware, or code injections.
Negligence: Negligence can occur when an employee loses a USB or other insecure device that contains sensitive data or leaves their device logged in and unattended, providing unauthorized access to the data.
Unsecured Networks: Unsecured networks can expose sensitive data to attacks. Hackers can intercept data transmitted over unsecured networks and steal sensitive information.
Lack of Employee Training: Employees may not be aware of the importance of protecting sensitive data or how to handle it securely. This lack of awareness can lead to unintentional data leaks or improper handling of sensitive information.
Third-party Risks: Third-party vendors who have access to your organization's data may pose a risk. These vendors may not have the same security protocols as your organization, and this can lead to data breaches.