Organizational Context GV.OC
      Back to home
      1. Help Center
      2. Cybersecurity Framework - Govern (GV)
      3. Organizational Context GV.OC

      What is Organizational Context (GV.OC)?

      The organization's risk context, including mission, mission priorities, stakeholders, objectives, and direction, is understood (formerly ID.BE)

      Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions 

      GV.OC-01:

      The organizational mission is understood to prioritize cybersecurity risk management (formerly ID.BE-2 and ID.BE-3)  

      Introduction:
      In today's interconnected environment, eXpress badging recognizes the critical importance of understanding our organizational context to effectively manage cybersecurity risks. This document outlines our mission, objectives, stakeholder considerations, and strategic direction, providing a foundation for informed cybersecurity risk management decisions.

      Purpose:
      The purpose of this document is to establish a comprehensive understanding of eXpress badging's organizational context, aligning with the NIST CSF 2.0's Govern function. This understanding ensures that cybersecurity risk management efforts are integrated with our organizational objectives and stakeholder expectations.


      Organizational Mission and Objectives:

      1. Mission: To provide secure and efficient photo ID issuance solutions for healthcare, business, government, and education sectors, ensuring the protection of sensitive information and compliance with relevant regulations.​

      2. Objectives:

        • Deliver high-quality, secure ID badging services that meet client requirements.

        • Maintain compliance with industry standards and regulatory requirements.

        • Continuously improve our services through innovation and feedback.

        • Foster a culture of security awareness and responsibility among all employees.​

      Scope:
      This mission applies to all individuals, systems, applications, and networks within the eXpress badging. It encompasses all departments, functions, subsidiaries, contractors, and partners accessing our information assets.

      Definitions:

      1. Cybersecurity: The practice of protecting information systems, networks, and digital assets from unauthorized access, use, disclosure, disruption, modification, or destruction.

      2. Risk: The potential for an unwanted outcome or negative impact resulting from exploiting vulnerabilities, threats, or uncertainties.

      3. Risk Management: Identifying, assessing, prioritizing, and mitigating risks to minimize potential organizational harm.

      4. NIST CSF: The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides a comprehensive set of guidelines, best practices, and standards for managing cybersecurity risks.

      Policy Statement:
      eXpress badging is committed to prioritizing cybersecurity risk management to protect our critical assets and maintain the trust of our stakeholders. We will align our practices with the NIST CSF ID.BE-2 and ID.BE-3 guidelines and continuously improve our risk management capabilities to address evolving threats. Our mission is proactively identifying, assessing, prioritizing, and mitigating cybersecurity risks throughout our organization.

      Roles and Responsibilities:

      1. Senior Leadership: Provide leadership, resources, and support for effective cybersecurity risk management.
      2. Information Security Team: Develop and implement risk management strategies, assess vulnerabilities, and deploy security controls.
      3. Employees and Contractors: Comply with cybersecurity policies, report security incidents, and actively participate in security awareness programs.
      Implementation:
      1. Establish a dedicated information security team responsible for managing cybersecurity risks.
      2. Conduct comprehensive risk assessments to identify and prioritize risks.
      3. Develop risk mitigation plans and allocate appropriate resources for their implementation.
      4. Deploy necessary security controls and safeguards to minimize identified risks.
      5. Implement an ongoing monitoring program to detect and respond to emerging threats.
      6. Provide regular training and awareness programs to educate employees and contractors about cybersecurity best practices.
      7. Establish incident response and recovery procedures to minimize the impact of cybersecurity incidents.
      8. Continuously evaluate and improve our risk management practices based on industry standards and lessons learned.

      Compliance and Enforcement:

      Non-compliance with this mission may result in disciplinary action, including but not limited to, termination of employment, contract termination, and legal action, as appropriate.


      Review and Revision:
      This mission statement will be reviewed annually or as needed to ensure its relevance, effectiveness, and alignment with industry best practices and regulatory requirements. Revisions will be made with the approval of [Senior Leadership/Designated Authority].

      References:
      a) NIST Cybersecurity Framework (CSF): https://www.nist.gov/cyberframework

      By adopting this organizational mission for understanding and prioritizing cybersecurity risk management, eXpress badging is committed to protecting our valuable assets, maintaining the confidentiality, integrity, and availability of information, and fostering a resilient cybersecurity posture.

      GV.OC-02:

      Internal and external stakeholders and their expectations regarding cybersecurity risk management are determined

      Stakeholder Considerations:

      • Clients: Organizations in healthcare, business, government, and education sectors rely on our services for secure identification solutions.​

      • Employees: Staff responsible for developing, managing, and delivering our services require clear policies and training to uphold security standards.​

      • Partners and Vendors: Third-party entities providing services or products essential to our operations, following alignment with our security requirements and potentially those of our customers.​

      • Regulatory Bodies: Authorities overseeing compliance with laws and regulations pertinent to our services and operations.

      Strategic Direction:

      eXpress badging is committed to:​

      • Integrating cybersecurity risk management into all levels of organizational planning and decision-making.​

      • Regularly reviewing and updating our understanding of the organizational context to adapt to changes in the internal and external environment.​

      • Ensuring that our cybersecurity practices support our mission and objectives, providing value to stakeholders and maintaining trust.

      GV.OC-03:

      Legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed (formerly ID.GV-3) 

      GV.OC-03 of the NIST Cybersecurity Framework (CSF) 2.0 focuses on ensuring that an organization understands and manages its legal, regulatory, and contractual obligations related to cybersecurity, including privacy and civil liberties. This involves identifying applicable requirements, establishing processes to track and manage them, and aligning cybersecurity strategies accordingly.​

      eXpress badging categorizes these various forms of terms and conditions under Compliance Standard Groups:

      • CONTRACTUAL
        • Fortune 500 and Healthcare focused
      • FEDERAL
        • DOD - Department of Defence
        • DOE -  Department of Energy
        • DOT - Department of Transportation
      • SLED - State, Local, Education Departments

      Compliance:

      Several U.S. federal and state laws concerning the protection of Personally Identifiable Information (PII) extend beyond HIPAA and healthcare data. Small businesses should know these regulations to ensure compliance and protect consumer data. eXpress badging reviews these laws regularly. Most do not apply, as they are consumer-based personal data protection laws, and not employer/employee-related. However, there are fine lines that can be crossed, such as children and minors under 21, foreign nationals, and others covered under reciprocal GDPR terms.

      Children’s Online Privacy Protection Act (COPPA)

      • Scope: Applies to websites and online services directed at children under 13 years of age.

      • Requirements: Parental consent is required before collecting personal information from children, and clear privacy policies are mandated.

      Federal Trade Commission Act (FTC Act) – Section 5

      • Scope: Applies broadly to unfair or deceptive practices affecting commerce.

      • Requirements: Prohibits deceptive practices, including inadequate data security measures, and allows the FTC to take enforcement actions.

      European Union's General Data Protection Regulation (GDPR)

      Under the European Union's General Data Protection Regulation (GDPR), U.S. companies that process personal data of EU citizens—including employees and contractors—must adhere to specific requirements, even if the company operates outside the EU.  Therefore, eXpress badging does not contract to manage GDPR or HIPAA-related data. 

      Applicability of GDPR to U.S. Companies

      The GDPR applies to any organization, regardless of location, that:​

      • Offers goods or services to EU residents, which could be an eXpress badging customer!

      • Monitors the behavior of individuals in the EU, such as through tracking website activity.​

      Therefore, if a U.S. company processes personal data of EU-based employees or contractors, GDPR compliance is mandatory. ​

      GV.OC-04:

      Critical objectives, capabilities, and services that stakeholders expect are determined and communicated (formerly ID.BE-4 and ID.BE-5) 

      • Example 1: IT functions that provide or materially support critical services are documented within a Disaster Recovery Plan.
      • Example 2: Detailed procedures are in place to continue providing critical business services during an outage, natural disaster, or attacks such as denial of service or ransomware.
      • Example 3: Recovery plans enable service restoration within Recovery Time Objectives.

      ID.BE-4: Dependencies and critical functions for delivery of critical services are established

      Criticality Assessment Scale

      1. Level 1: Required but not critical
      2. Level 2: Required and critical for daily business operations
      3. Level 3: Required and critical for daily customer operations

      Banking and Financial Services (Level 3)

      • Bank Accounts
      • Credit Card Processing Accounts
      • Credit Card Accounts
      • Line of Credit Accounts
      • Payroll Accounts

      AWS Codebase, Licenses, and Configuration (Level 3)

      • Hosted website
      • Hosted Veonics Portal
      • Hosted VerifyMyBadge Portal
      • JIRA Code Management
      • aprovD TSL Task Approval

        eXpress badging Veonics Portal Trained Personnel (Level 2)

        • System Project Management
          • Director (Neil Grosse - IT)
          • Director (Michael Scott - Production)
          • President (Joe French)
        Contract Developers and IT Support (Level 3)
        • The Silver Logic
          • Primary Portal System Architect
        • David Fisher
          • Secondary Fractional CTO
            • Primarily VerifyMyBadge
            • Secondly, Veonics Portal
        • Olive Branch IT
          • Client/Server Operations Support
          • Cybersecurity Systems Management (Network Level)
        • Cybersecurity Insurance

        Computer-based Software (Level 3)

        • QuickBooks Enterprise Software
        • digion24 Prox Writer Software

        Hosted Software (Level 2)

        • SentinelOne Cybersecurity/Antivirus
        • Digital Defense Pentesting and Network Vulnerability Testing
        • HubSpot CRM, Technical Support, Marketing, and Knowledgebase
        • Jira Software Development Management(Level 1)
        • Avalara Sales Tax
        • Bloom Growth Meeting Management and Business Planning(Level 1)
        • Adobe Photoshop (Level 1)
        • Pirateship.com and Stamps.com (Level 3)
        • GoDaddy.com manages URL domain registration

        Hardware (Level 3)

        • Fleet of PVC ID Card Printers (15 to 20) 
        • RFID Encoding System 
        • Client Server Network of (20+ Devices)
        • Phone System (15 devices) (Level 2)
          • Backup is PC and headphone/microphone based 

        Inventory (Level 3)

        • Customer Supplied and other RFID Stock
          • Stored in safe
        • Production Inventory
          • Stored in warehouse

        ID.BE-5: Resilience requirements to support the delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) 

        Disaster Recovery

        Critical Fail Points are (Level 3)

        • AWS Hosting
        • Server and Computer Network
        • Fleet of Badge Printers
        • RFID Encoding System
        • Contracted Software Development and Support

        Critical Fail Point Factors

        • AWS Failure
        • Electrical Outage
        • Communication Outage
        • Building Evacuation 
        • Internal Cyber Breach
        • External Cyber Breach
        • Business Theft

        Business Continuity

        Business continuity is a business's readiness to maintain critical functions after an emergency or disruption. These events can include Security breaches, natural disasters, and power outages.

        Natural Disaster

        Cybersecurity Breach

        Power Outage

        • Call the builder superintendent and the power company, 
        • Notify customers using HubSpot email if the downtime will exceed four business hours
        • If, for any reason, power is not restored within two business days, locate a backup location within the county and move a temporary badging team there until it is restored

        Communication Outage

        • Call the builder superintendent and the communication service provider
        • The secondary communication provider line should automatically be enabled
        • Upon secondary communication provider failure, and after contacting them, have all phones forwarded to a primary mobile phone
        • Call and notify OliveBranch IT 

        GV.OC-05:

        Critical outcomes, capabilities, and services that the organization relies on are determined and communicated (formerly ID.BE-1 and ID.BE-4) 

        ​To align eXpress badging's documentation with the NIST Cybersecurity Framework (CSF) Subcategory GV.OC-05, it's essential to clearly identify and communicate the organization's critical outcomes, capabilities, and services. This involves creating a comprehensive inventory of dependencies, assessing potential points of failure, and ensuring that this information is shared with relevant stakeholders.​

        GV.OC-05: Outcomes, capabilities, and services that the organization depends on are understood and communicated

        1. Inventory of Critical Dependencies

        • Cloud Hosting Services: eXpress badging relies on Amazon Web Services (AWS) to host its website and the Veonics Portal. The AWS configuration includes version regression capabilities and various backup tools to mitigate potential service disruptions.​

        • Software Development and Maintenance: The Veonics Portal is a proprietary cloud-based badging software developed and maintained by contracted partners. These partnerships are governed by Non-Disclosure Agreements (NDAs) and Service Level Agreements (SLAs) to ensure code integrity and timely updates.​

        • IT Management and Maintenance: Contracted IT services manage eXpress badging's network and devices. Their duties include implementing cybersecurity tools, conducting penetration and vulnerability testing, and providing cybersecurity training.​

        • Hardware and Supplies: eXpress badging depends on manufacturers such as HID Corporation, IDP America, SwiftPro, and Digion24 for PVC card printers and consumables. During the COVID-19 pandemic, proactive procurement strategies were employed to mitigate supply shortages.​

        2. Potential Points of Failure and Mitigation Strategies

        • AWS Service Disruption: A failure in AWS services could impact the Veonics Portal and website accessibility. To address this, eXpress badging has implemented version regression processes and various backups within the AWS infrastructure.​

        • Software Development Delays: Delays or issues with contracted developers could affect the Veonics Portal's functionality. Maintaining relationships with multiple development partners and clear contractual agreements helps mitigate this risk.​

        • IT Service Interruptions: Disruptions in contracted IT services could impact network security and device management. Regular performance reviews and adherence to SLAs ensure accountability and continuity.​

        • Supply Chain Disruptions: Interruptions in the supply of printers and consumables could affect badge production. Maintaining higher inventory levels and diversifying suppliers are strategies employed to reduce this risk.​

        3. Communication and Documentation

        eXpress badging maintains detailed documentation of its critical dependencies and mitigation strategies. This information is communicated to relevant stakeholders through internal meetings, training sessions, and accessible documentation platforms. Regular reviews and updates ensure that all parties are informed about the organization's dependencies and preparedness measures.​

        By systematically identifying and managing its critical dependencies, eXpress badging demonstrates a commitment to resilience and aligns with the objectives of GV.OC-05 in the NIST Cybersecurity Framework.