Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
Identify critical enterprise processes and assets
What are your enterprise’s activities that absolutely must continue to be viable? For example, this could be maintaining a website to retrieve payments, protecting customer/patient information securely, or ensuring that the information your enterprise collects remains accessible and accurate.
Document Information Flows
It’s important to not only understand what type of information your enterprise collects and uses but also to understand where the data is located and flows, especially where contracts and external partners are engaged.
Maintain hardware and software inventory.
It’s essential to understand the computers and software in your enterprise because these are frequently the entry points of malicious actors. This inventory could be as simple as a spreadsheet.
Establish policies for cybersecurity that include roles and responsibilities.
These policies and procedures should clearly describe your expectations for how cybersecurity activities protect your information and systems and support critical enterprise processes. Cybersecurity policies should be integrated with other enterprise risk considerations (e.g., financial, reputational).
Identify threats, vulnerabilities, and risk-to-assets.
Ensure risk management processes are established and managed to identify, assess, and document internal and external threats in risk registers. Ensure risk responses are identified and prioritized, executed, and results monitored.