All Episodes
Displaying 61 - 90 of 114 in total
ID.RA-08 - Handling Vulnerability Disclosures
ID.RA-08 establishes processes for handling vulnerability disclosures from suppliers, customers, or government sources, ensuring timely analysis and response. This inc...
ID.RA-07 - Managing Changes and Exceptions in Risk
ID.RA-07 focuses on managing changes to systems or processes and exceptions to policies, assessing their risk impacts, and documenting them for oversight. This include...
ID.RA-06 - Prioritizing Risk Response Strategies
ID.RA-06 involves selecting, prioritizing, and planning risk responses—such as mitigation, acceptance, or transfer—based on assessed risks, then tracking and sharing p...
ID.RA-05 - Understanding Inherent Cybersecurity Risks
ID.RA-05 uses data on threats, vulnerabilities, likelihoods, and impacts to assess inherent risk—the risk before controls are applied—and prioritize responses. This in...
ID.RA-04 - Assessing Threat Impact and Likelihood
ID.RA-04 requires assessing and documenting the likelihood and potential impacts of threats exploiting identified vulnerabilities, such as data breaches or system fail...
ID.RA-03 - Recognizing Internal and External Threats
ID.RA-03 involves identifying and documenting threats—both internal, like insider risks, and external, like cyberattacks—that could impact the organization. This proce...
ID.RA-02 - Leveraging Cyber Threat Intelligence
ID.RA-02 focuses on gathering cyber threat intelligence from forums, advisories, and reputable sources to stay informed about current and emerging threats. This intell...
ID.RA-01 - Identifying and Recording Asset Vulnerabilities
ID.RA-01 involves identifying, validating, and documenting vulnerabilities in organizational assets, including software, hardware, and facilities. This process uses to...
ID.AM-08 - Managing Assets Across Their Lifecycle
ID.AM-08 focuses on managing all assets—systems, hardware, software, services, and data—across their entire life cycles, from deployment to disposal. This includes int...
ID.AM-07 - Inventorying Sensitive Data and Metadata
ID.AM-07 requires maintaining inventories of designated data types—like PII, health information, or intellectual property—along with metadata such as provenance and ow...
ID.AM-05 - Prioritizing Assets by Importance
ID.AM-05 involves prioritizing assets—data, hardware, software, and services—based on their classification, criticality, resource needs, and mission impact. This proce...
ID.AM-04 - Cataloging Supplier-Provided Services
ID.AM-04 requires organizations to keep inventories of supplier-provided services, such as IaaS, PaaS, SaaS, and APIs, used in their operations. This tracking ensures ...
ID.AM-03 - Mapping Network Communication Flows
ID.AM-03 involves maintaining up-to-date representations of authorized network communications and data flows, both within the organization and with external entities. ...
ID.AM-02 - Managing Software and Service Inventories
ID.AM-02 focuses on maintaining detailed inventories of software, services, and systems, covering everything from commercial applications to cloud-based offerings and ...
ID.AM-01 - Tracking Organizational Hardware Assets
ID.AM-01 requires organizations to maintain comprehensive inventories of all hardware assets under their control, including IT, IoT, OT, and mobile devices. This ongoi...
GV.SC-10 - Planning for Post-Partnership Security
GV.SC-10 ensures that supply chain risk management plans address post-relationship activities, such as terminating supplier access or managing data disposal. This invo...
GV.SC-09 - Monitoring Supply Chain Security Practices
GV.SC-09 embeds supply chain security practices into cybersecurity and enterprise risk management, ensuring consistent oversight from acquisition to disposal of produc...
GV.SC-08 - Including Suppliers in Incident Response Planning
GV.SC-08 integrates key suppliers and third parties into the organization’s incident planning, response, and recovery efforts, ensuring coordinated action during cyber...
GV.SC-07 - Managing Supplier Risks Throughout Relationships
GV.SC-07 ensures ongoing understanding and management of risks from suppliers and third parties throughout their relationship with the organization. This involves docu...
GV.SC-06 - Conducting Due Diligence Before Supplier Partnerships
GV.SC-06 mandates thorough planning and due diligence before engaging suppliers or third parties, assessing their cybersecurity capabilities and risks. This proactive ...
GV.SC-05 - Setting Cybersecurity Requirements for Suppliers
GV.SC-05 establishes and prioritizes cybersecurity requirements for suppliers, embedding them into contracts and agreements to enforce consistent security standards. T...
GV.SC-04 - Prioritizing Suppliers by Criticality
GV.SC-04 requires organizations to identify all suppliers and rank them based on their criticality to operations, considering factors like data sensitivity or system a...
GV.SC-03 - Integrating Supply Chain Risks into Broader Frameworks
GV.SC-03 integrates supply chain risk management into the organization’s broader cybersecurity and enterprise risk management (ERM) frameworks, ensuring a unified appr...
GV.SC-02 - Defining Cybersecurity Roles in the Supply Chain
GV.SC-02 emphasizes defining and sharing cybersecurity roles and responsibilities for all parties in the supply chain—suppliers, customers, and partners—as well as wit...
GV.SC-01 - Building a Supply Chain Risk Management Program
GV.SC-01 focuses on creating a structured cybersecurity supply chain risk management program that includes a clear strategy, objectives, policies, and processes, all e...
GV.OV-03 - Evaluating Cybersecurity Performance
GV.OV-03 emphasizes measuring and reviewing the organization’s cybersecurity risk management performance using indicators like KPIs and KRIs. This evaluation identifie...
GV.OV-02 - Adjusting Strategies for Comprehensive Risk Coverage
GV.OV-02 involves periodic reviews of the cybersecurity risk management strategy to confirm it addresses all organizational requirements and emerging risks. This inclu...
GV.OV-01 - Reviewing Cybersecurity Strategy Outcomes
GV.OV-01 focuses on evaluating the outcomes of the cybersecurity risk management strategy to refine its direction and effectiveness. This involves measuring how well t...
GV.PO-02 - Keeping Cybersecurity Policies Current
GV.PO-02 ensures that the cybersecurity risk management policy remains dynamic, undergoing regular reviews to adapt to evolving threats, technologies, legal requiremen...
GV.PO-01 - Establishing a Cybersecurity Risk Management Policy
GV.PO-01 involves creating a formal cybersecurity risk management policy that reflects the organization’s unique context, strategy, and priorities. This policy outline...
