Skip to main content Link Menu Expand (external link) Document Search Copy Copied

Map: CRI v1.2.1 to v2.0

The table below is from the “CRI Profile ver. 1.2.1 to ver. 2.0 Mapping” from the Cyber Risk Institute.

</table>
Profile v1.2.1 Id Profile v1.2.1 Diagnostic Statement Profile v2.0
Update Status
Profile v2.0 Id Profile v2.0 Diagnostic Statement
GV.SF-1.1 GV.SF-1.1: The organization has a cyber risk management strategy and framework that is approved by the appropriate governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. Statement Updated for Profile ver. 2.0 GV.RM-01.01 GV.RM-01.01: Technology and cybersecurity risk management strategies and frameworks are approved by the governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework.
GV.SF-1.2 GV.SF-1.2: An appropriate governing authority (e.g., the Board or one of its committees) oversees and holds senior management accountable for implementing the organization’s cyber risk management strategy and framework. Statement Updated for Profile ver. 2.0 GV.RR-01.01 GV.RR-01.01: The governing authority (e.g., the Board or one of its committees) oversees and holds senior management accountable for implementing the organization’s technology and cybersecurity risk management strategies and frameworks.
GV.SF-1.3 GV.SF-1.3: The organization's cyber risk management strategy identifies and documents the organization's role as it relates to other critical infrastructures outside of the financial services sector and the risk that the organization may pose to them. Statement Merged with Another Statement for ver. 2.0 GV.OC-02.03 GV.OC-02.03: Technology and cybersecurity risk management strategies identify and communicate the organization's role as it relates to other critical infrastructure sectors outside of the financial services sector and the interdependency risks.
GV.SF-1.4 GV.SF-1.4: The cyber risk management strategy identifies and communicates the organization’s role within the financial services sector as a component of critical infrastructure in the financial services industry. Statement Updated for Profile ver. 2.0 GV.OC-02.02 GV.OC-02.02: Technology and cybersecurity risk management strategies identify and communicate the organization’s role within the financial services sector as a component of critical infrastructure.
GV.SF-1.5 GV.SF-1.5: The cyber risk management strategy and framework establishes and communicates priorities for organizational mission, objectives, and activities. Statement Updated for Profile ver. 2.0 GV.OC-01.01 GV.OC-01.01: Technology and cybersecurity strategies, architectures, and programs are formally governed to align with and support the organization's mission, objectives, priorities, tactical initiatives, and risk profile.
GV.SF-2.1 GV.SF-2.1: The cyber risk management strategy and framework is appropriately informed by applicable international, national, and financial services industry standards and guidelines. Statement Updated for Profile ver. 2.0 GV.RM-01.02 GV.RM-01.02: Technology and cybersecurity risk management strategies and frameworks are informed by applicable international, national, and financial services industry standards and guidelines.
GV.SF-3.1 GV.SF-3.1: An appropriate governing authority (e.g., the Board or one of its committees) endorses and periodically reviews the cyber risk appetite and is regularly informed about the status of and material changes in the organization's inherent cyber risk profile. Statement Updated for Profile ver. 2.0 GV.RM-02.01 GV.RM-02.01: The governing authority (e.g., the Board or one of its committees) endorses and regularly reviews technology and cybersecurity risk appetite and is regularly informed about the status of, and material changes to, the organization's inherent risk profile.
GV.SF-3.2 GV.SF-3.2: An appropriate governing authority (e.g., the Board or one of its committees) periodically reviews and evaluates the organization's ability to manage its cyber risks. Statement Updated for Profile ver. 2.0 GV.OV-01.01 GV.OV-01.01: The governing authority (e.g., the Board or one of its committees) regularly reviews and evaluates the organization's ability to manage its technology, cybersecurity, third-party, and resilience risks.
GV.SF-3.3 GV.SF-3.3: The cyber risk management framework provides mechanisms to determine the adequacy of resources to fulfill cybersecurity objectives. Statement Updated for Profile ver. 2.0 GV.RR-03.01 GV.RR-03.01: The organization's budgeting and resourcing processes identify, prioritize, and address resource needs to manage identified technology and cybersecurity risks (e.g., skill shortages, headcount, new tools, incident-related expenses, and unsupported systems).
GV.SF-4.1 GV.SF-4.1: The risk appetite is informed by the organization’s role in critical infrastructure. Statement Updated for Profile ver. 2.0 GV.RM-02.03 GV.RM-02.03: Determination of the organization's risk appetite and tolerance includes consideration of the organization's stakeholder obligations, role in critical infrastructure, and sector-specific risk analysis.
GV.RM-1.1 GV.RM-1.1: The cyber risk management program incorporates cyber risk identification, measurement, monitoring, and reporting. Statement Updated for Profile ver. 2.0 GV.RM-01.04 GV.RM-01.04: Technology and cybersecurity risk management programs incorporate risk identification, measurement, monitoring, and reporting.
GV.RM-1.2 GV.RM-1.2: The cyber risk management program is integrated into daily operations and is tailored to address enterprise-specific risks (both internal and external) and evaluate the organization's cybersecurity policies, procedures, processes, and controls. Statement Updated for Profile ver. 2.0 GV.RM-03.04 GV.RM-03.04: Technology and cybersecurity risk management considerations are integrated into daily operations, cultural norms, management discussions, and management decision-making, and are tailored to address enterprise-specific risks (both internal and external).
GV.RM-1.3 GV.RM-1.3: As a part of the cyber risk management program, the organization has documented its cyber risk assessment process and methodology, which are periodically updated to address changes to the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving threat environment). Statement Updated for Profile ver. 2.0 GV.RM-06.01 GV.RM-06.01: Technology and cybersecurity risk management and risk assessment processes and methodologies are documented and regularly reviewed and updated to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies.
GV.RM-1.4 GV.RM-1.4: The cyber risk assessment process is consistent with the organization's policies and procedures and includes criteria for the evaluation and categorization of enterprise-specific cyber risks and threats. Statement Updated for Profile ver. 2.0 GV.RM-03.03 GV.RM-03.03: Technology and cybersecurity risk management and risk assessment processes are consistent with the organization's enterprise risk management policies, procedures, and methodologies and include criteria for the evaluation and categorization of enterprise-specific risks and threats.
GV.RM-1.5 GV.RM-1.5: The cyber risk management program and risk assessment process produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify security controls. Statement Updated for Profile ver. 2.0 ID.RA-06.01 ID.RA-06.01: Technology and cybersecurity risk management programs and risk assessment processes produce actionable recommendations that the organization uses to select, design, prioritize, implement, maintain, evaluate, and modify cybersecurity and technology controls.
GV.RM-1.6 GV.RM-1.6: The cyber risk management program addresses identified cyber risks in one of the following ways:   risk acceptance, risk mitigation, risk avoidance, or risk transfer, which includes cyber insurance. Statement Updated for Profile ver. 2.0 ID.RA-06.02 ID.RA-06.02: The implementation of responses to address identified risks (i.e., risk avoidance, risk mitigation, risk acceptance, or risk transfer (e.g., cyber insurance)) are formulated, assessed, documented, and prioritized based on criticality to the business.
GV.RM-2.1 GV.RM-2.1: The organization has established a cyber risk tolerance consistent with its risk appetite, and integrated it into technology or operational risk management, as appropriate. Statement Updated for Profile ver. 2.0 GV.RM-02.02 GV.RM-02.02: The organization has established statements of technology and cybersecurity risk tolerance consistent with its risk appetite, and has integrated them into technology, cybersecurity, operational, and enterprise risk management practices.
GV.RM-2.2 GV.RM-2.2: The cyber risk management strategy articulates how the organization intends to address its inherent cyber risk (before mitigating controls or other factors are taken into consideration). Statement Updated for Profile ver. 2.0 GV.OV-02.01 GV.OV-02.01: The organization regularly assesses its inherent technology and cybersecurity risks and ensures that changes to the business and threat environment lead to updates to the organization's strategies, programs, risk appetite and risk tolerance.
GV.RM-2.3 GV.RM-2.3: The cyber risk management strategy articulates how the organization would maintain an acceptable level of residual cyber risk set by the appropriate governing authority (e.g., the Board or one of its committees). Statement Merged with Another Statement for ver. 2.0 GV.OV-02.02 GV.OV-02.02: The organization determines and articulates how it intends to maintain an acceptable level of residual technology and cybersecurity risk as set by the governing authority (e.g., the Board or one of its committees).
GV.RM-3.1 GV.RM-3.1: The cyber risk management framework is integrated into the enterprise risk management framework. Statement Merged with Another Statement for ver. 2.0 GV.RM-03.01 GV.RM-03.01: Technology and cybersecurity risk management frameworks and programs are integrated into the enterprise risk management framework.
GV.RM-3.2 GV.RM-3.2: The organization has a process for monitoring its cyber risks including escalating those risks that exceed risk tolerance to management. Statement Merged with Another Statement for ver. 2.0 GV.RM-05.01 GV.RM-05.01: The organization has a process for monitoring its technology, cybersecurity, and third-party risks, including escalating those risks that exceed risk appetite to management and identifying risks with the potential to impact multiple operating units.
GV.RM-3.3 GV.RM-3.3: The organization's cyber risk management framework provides for segregation of duties between policy development, implementation, and oversight to ensure rigorous review of both policy and implementation. Statement Updated for Profile ver. 2.0 GV.RR-02.07 GV.RR-02.07: Technology and cybersecurity risk management frameworks provide for segregation of duties between policy development, implementation, and oversight.
GV.PL-1.1 GV.PL-1.1: The organization maintains a documented cybersecurity policy or policies approved by a designated Cybersecurity Officer (e.g., CISO) or an appropriate governing authority (e.g., the Board or one of its committees). Statement Updated for Profile ver. 2.0 GV.PO-01.01 GV.PO-01.01: Technology and cybersecurity policies are documented, maintained and approved by the governing authority (e.g., the Board or one of its committees) or a designated executive.
GV.PL-1.2 GV.PL-1.2: The organization's cybersecurity policy integrates with an appropriate employee accountability policy to ensure that all personnel are held accountable for complying with cybersecurity policies and procedures. Statement Updated for Profile ver. 2.0 GV.PO-01.03 GV.PO-01.03: The organization's incentive programs are consistent with cyber risk management objectives, and technology and cybersecurity policies integrate with an employee accountability policy to ensure that all personnel are held accountable for complying with policies.
GV.PL-2.1 GV.PL-2.1: The cybersecurity policy is supported by the organization's risk management program. Statement Merged with Another Statement for ver. 2.0 GV.RM-03.01 GV.RM-03.01: Technology and cybersecurity risk management frameworks and programs are integrated into the enterprise risk management framework.
GV.PL-2.2 GV.PL-2.2: Cybersecurity processes and procedures are established based on the cybersecurity policy. Statement Updated for Profile ver. 2.0 GV.PO-01.05 GV.PO-01.05: Technology and cybersecurity processes, procedures, and controls are established in alignment with cybersecurity policy.
GV.PL-2.3 GV.PL-2.3: The cybersecurity policy is periodically reviewed and revised under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite (e.g., new technologies, products, services, interdependencies, and the evolving threat environment). Statement Updated for Profile ver. 2.0 GV.PO-02.01 GV.PO-02.01: The cybersecurity policy is regularly reviewed, revised, and communicated under the leadership of a designated Cybersecurity Officer (e.g., CISO) to address changes in the risk profile and risk appetite, the evolving threat environment, and new technologies, products, services, and interdependencies.
GV.PL-3.1 GV.PL-3.1: The cybersecurity policy, strategy and framework should take into account the organization's legal and regulatory obligations. Statement Updated for Profile ver. 2.0 GV.OC-03.01 GV.OC-03.01: The organization's technology and cybersecurity strategy, framework, and policies align and are consistent with the organization's legal, statutory, contractual, and regulatory obligations and ensure that compliance responsibilities are unambiguously assigned.
GV.PL-3.2 GV.PL-3.2: The organization's cybersecurity policies are consistent with its privacy and civil liberty obligations. Statement Merged with Another Statement for ver. 2.0 GV.OC-03.02 GV.OC-03.02: The organization implements and maintains a documented policy or policies that address customer data privacy that is approved by a designated officer or the organization’s appropriate governing body (e.g., the Board or one of its committees).
GV.PL-3.3 GV.PL-3.3: The organization implements and maintains a documented policy or policies that address customer data privacy, and is approved by a designated officer or the organization’s appropriate governing body (e.g., the Board or one of its committees). Statement Merged with Another Statement for ver. 2.0 GV.OC-03.02 GV.OC-03.02: The organization implements and maintains a documented policy or policies that address customer data privacy that is approved by a designated officer or the organization’s appropriate governing body (e.g., the Board or one of its committees).
GV.RR-1.1 GV.RR-1.1: The organization coordinates and aligns roles and responsibilities for personnel implementing, managing, and overseeing the effectiveness of the cybersecurity strategy and framework with internal and external partners. Statement Merged with Another Statement for ver. 2.0 GV.RR-02.01 GV.RR-02.01: The roles, responsibilities, qualifications, and skill requirements for personnel (employees and third parties) that implement, manage, and oversee the technology, cybersecurity, and resilience programs are defined, aligned, coordinated, and holistically managed.
GV.RR-2.1 GV.RR-2.1: The organization has designated a Cybersecurity Officer (e.g., CISO) who is responsible and accountable for developing cybersecurity strategy, overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy. Statement Updated for Profile ver. 2.0 GV.RR-01.04 GV.RR-01.04: The organization has designated a qualified Cybersecurity Officer (e.g., CISO) who is responsible and accountable for developing a cybersecurity strategy, overseeing and implementing its cybersecurity program, and enforcing its cybersecurity policy.
GV.RR-2.2 GV.RR-2.2: The organization provides adequate resources, appropriate authority, and access to the governing authority for the designated Cybersecurity Officer (e.g., CISO). Statement Unchanged in Profile ver. 2.0 GV.RR-03.03 GV.RR-03.03: The organization provides adequate resources, appropriate authority, and access to the governing authority for the designated Cybersecurity Officer (e.g., CISO).
GV.RR-2.3 GV.RR-2.3: The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the status of cybersecurity within the organization. Statement Unchanged in Profile ver. 2.0 GV.OV-01.02 GV.OV-01.02: The designated Cybersecurity Officer (e.g., CISO) periodically reports to the appropriate governing authority (e.g., the Board or one of its committees) or equivalent governing body on the status of cybersecurity within the organization.
GV.RR-2.4 GV.RR-2.4: The organization provides adequate resources to maintain and enhance the cybersecurity situational awareness of senior managers within the organization. Statement Merged with Another Statement for ver. 2.0 PR.AT-02.07 PR.AT-02.07: The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to:
(1) Evaluate and manage cyber risks;
(2) Promote a culture that recognizes that staff at all levels have important responsibilities in ensuring the organization's cyber resilience; and
(3) Lead by example.
GV.SP-1.1 GV.SP-1.1: The organization has established, and maintains, a cybersecurity program designed to protect the confidentiality, integrity and availability of its information and operational systems, commensurate with the organization's risk appetite. Statement Updated for Profile ver. 2.0 GV.RM-01.03 GV.RM-01.03: The organization has established, and maintains, technology and cybersecurity programs designed to protect the confidentiality, integrity and availability of its information and operational systems, commensurate with the organization's risk appetite and business needs.
GV.SP-1.2 GV.SP-1.2: Based on a periodic risk assessment, the organization's cybersecurity program identifies and implements appropriate security controls to manage applicable cyber risks within the risk tolerance set by the governing authority (e.g., the Board or one of its committees). Statement Updated for Profile ver. 2.0 ID.RA-06.03 ID.RA-06.03: Technology and cybersecurity programs identify and implement controls to manage applicable risks within the risk appetite set by the governing authority (e.g., the Board or one of its committees).
GV.SP-2.1 GV.SP-2.1: The organization implements a repeatable process to develop, collect, store, report, and refresh actionable cybersecurity key performance indicators and metrics. Statement Updated for Profile ver. 2.0 ID.IM-01.02 ID.IM-01.02: The organization implements a regular process to collect, store, report, benchmark, and assess trends in actionable performance indicators and risk metrics (e.g., threat KRIs, security incident metrics, vulnerability metrics, and operational measures).
GV.SP-2.2 GV.SP-2.2: The organization develops, implements, and reports to management and the appropriate governing body (e.g., the Board or one of its committees) key cybersecurity performance indicators and metrics based on the cyber risk strategy and framework to  measure, monitor, and report actionable indicators to help guide the security program. Statement Updated for Profile ver. 2.0 GV.OV-03.01 GV.OV-03.01: The organization develops, implements, and reports to management and the governing body (e.g., the Board or one of its committees) key technology and cybersecurity risk and performance indicators and metrics to measure, monitor, and report actionable indicators.
GV.SP-2.3 GV.SP-2.3: The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time. Statement Unchanged in Profile ver. 2.0 ID.IM-01.03 ID.IM-01.03: The organization establishes specific objectives, performance criteria, benchmarks, and tolerance limits to identify areas that have improved or are in need of improvement over time.
GV.IR-1.1 GV.IR-1.1: The organization's enterprise-wide cyber risk management framework includes an independent risk management function that provides assurance that the cyber risk management framework is implemented as intended. Statement Updated for Profile ver. 2.0 GV.IR-01.01 GV.IR-01.01: The organization's enterprise-wide technology and cybersecurity risk management frameworks align with and support an independent risk management function that provides assurance that the frameworks are implemented consistently and as intended.
GV.IR-1.2 GV.IR-1.2: An independent risk management function has sufficient independence, stature, authority, resources, and access to the appropriate governing body (e.g., the Board or one of its committees), including reporting lines, to ensure consistency with the organization's cyber risk management framework. Statement Merged with Another Statement for ver. 2.0 GV.IR-01.02 GV.IR-01.02: The independent risk management function has sufficient independence, stature, authority, resources, and access to the governing body (e.g., the Board or one of its committees), including reporting lines, to ensure consistency with the organization's risk management frameworks.
GV.IR-1.3 GV.IR-1.3: The independent risk management function has appropriate understanding of the organization's structure, cybersecurity program, and relevant risks and threats. Statement Updated for Profile ver. 2.0 GV.IR-01.03 GV.IR-01.03: The independent risk management function has an understanding of the organization's structure, technology and cybersecurity strategies and programs, and relevant risks and threats.
GV.IR-1.4 GV.IR-1.4: Individuals responsible for independent risk management and oversight are independent of business line management, including senior leadership. Statement Merged with Another Statement for ver. 2.0 GV.IR-01.02 GV.IR-01.02: The independent risk management function has sufficient independence, stature, authority, resources, and access to the governing body (e.g., the Board or one of its committees), including reporting lines, to ensure consistency with the organization's risk management frameworks.
GV.IR-2.1 GV.IR-2.1: An independent risk management function assesses the appropriateness of the cyber risk management program according to the organization's risk appetite. Statement Updated for Profile ver. 2.0 GV.IR-02.01 GV.IR-02.01: The independent risk management function regularly evaluates the appropriateness of the technology and cybersecurity risk management programs to the organization's risk appetite and inherent risk environment
GV.IR-2.2 GV.IR-2.2: An independent risk management function frequently and recurrently assesses the organization's controls and cyber risk exposure, identifies opportunities for improvement based on assessment results, and proposes risk mitigation strategies and improvement actions when needed. Statement Updated for Profile ver. 2.0 GV.IR-02.02 GV.IR-02.02: The independent risk management function regularly assesses the organization's controls and cybersecurity risk exposure, identifies opportunities for improvement based on assessment results, and recommends program improvements
GV.IR-3.1 GV.IR-3.1: An independent risk management function reports to the appropriate governing authority (e.g., the Board or one of its committees) and to the appropriate risk management officer within the organization on the implementation of the cyber risk management framework throughout the organization. Statement Updated for Profile ver. 2.0 GV.IR-03.01 GV.IR-03.01: The independent risk management function reports to the governing authority (e.g., the Board or one of its committees) and to the designated risk management officer within the organization on the implementation of the technology and cybersecurity risk management frameworks throughout the organization and its independent assessment of risk posture.
GV.AU-1.1 GV.AU-1.1: The organization has an independent audit function. Statement Updated for Profile ver. 2.0 GV.AU-01.01 GV.AU-01.01: The organization has an independent audit function (i.e., internal audit group or external auditor) that follows generally accepted audit practices and approved audit policies and procedures.
GV.AU-1.2 GV.AU-1.2: The organization has an independent audit plan that provides for an evaluation of the organization's compliance with the appropriately approved cyber risk management framework and its cybersecurity policies and processes including how well the organization adapts to the evolving cyber risk environment while remaining within its stated risk appetite and tolerance. Statement Updated for Profile ver. 2.0 GV.AU-01.02 GV.AU-01.02: The organization has an independent audit plan that provides for the evaluation of technology and cybersecurity risk, including compliance with the approved risk management framework, policies, and processes for technology, cybersecurity, and resilience; and how well the organization adapts to the evolving risk environment while remaining within its stated risk appetite and tolerance.
GV.AU-1.3 GV.AU-1.3: An independent audit function tests security controls and information security policies. Statement Updated for Profile ver. 2.0 GV.AU-01.03 GV.AU-01.03: The independent audit function tests technology management, cybersecurity, incident response, and resilience policies and controls.
GV.AU-1.4 GV.AU-1.4: An independent audit function assesses compliance with applicable laws and regulations. Statement Unchanged in Profile ver. 2.0 GV.AU-01.05 GV.AU-01.05: An independent audit function assesses compliance with applicable laws and regulations.
GV.AU-2.1 GV.AU-2.1: A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across the sector. Statement Updated for Profile ver. 2.0 GV.AU-02.01 GV.AU-02.01: A formal process is in place for the independent audit function to review and update its procedures and audit plans regularly or in response to changes in relevant standards, the technology environment, or the business environment.
GV.AU-2.2 GV.AU-2.2: A formal process is in place for the independent audit function to update its procedures based on changes to the organization's risk appetite and risk tolerance. Statement Merged with Another Statement for ver. 2.0 GV.AU-02.02 GV.AU-02.02: A formal process is in place for the independent audit function to update its procedures and audit plans based on changes to the organization's risk appetite, risk tolerance, threat environment, and evolving risk profile.
GV.AU-3.1 GV.AU-3.1: An independent audit function reviews cybersecurity practices and identifies weaknesses and gaps. Statement Updated for Profile ver. 2.0 GV.AU-03.01 GV.AU-03.01: The independent audit function reviews technology and cybersecurity practices and identifies weaknesses and gaps.
GV.AU-3.2 GV.AU-3.2: An independent audit function tracks identified issues and corrective actions from internal audits and independent testing/assessments to ensure timely resolution. Statement Updated for Profile ver. 2.0 GV.AU-03.02 GV.AU-03.02: The independent audit function tracks identified issues and corrective actions from internal audits and independent testing/assessments to ensure timely resolution.
GV.AU-3.3 GV.AU-3.3: An independent audit function reports to the appropriate governing authority (e.g., the Board or one of its committees) within the organization, including when its assessment differs from that of the organization, or when cyber risk tolerance has been exceeded in any part of the organization. Statement Updated for Profile ver. 2.0 GV.AU-03.03 GV.AU-03.03: The independent audit function reports to the governing authority (e.g., the Board or one of its committees) within the organization, including when its assessment differs from that of the organization, or when risk tolerance has been exceeded in any part of the organization.
GV.TE-1.1 GV.TE-1.1: The organization identifies how cybersecurity will support emerging technologies that support business needs (e.g., cloud, mobile, IoT, IIoT, etc.) by integrating cybersecurity considerations into the lifecycle of new technologies from their inception. Statement Updated for Profile ver. 2.0 GV.RM-08.01 GV.RM-08.01: Technology and cybersecurity risk management frameworks are applied to, and are adapted as needed by, the organization's innovations in technology use and adoption of emerging technologies.
GV.TE-1.2 GV.TE-1.2: The organization applies its cyber risk management framework to all technology projects. Statement Updated for Profile ver. 2.0 GV.RM-08.02 GV.RM-08.02: Technology and cybersecurity risk management frameworks are applied to all technology projects and procurements to ensure that security requirements (e.g., data confidentiality, access control, event logging, etc.) are addressed consistently from project onset.
GV.TE-2.1 GV.TE-2.1: The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure. Statement Unchanged in Profile ver. 2.0 GV.RM-08.03 GV.RM-08.03: The organization defines, maintains, and uses technical security standards, architectures, processes or practices (including automated tools when practical) to ensure the security of its applications and infrastructure.
ID.AM-1.1 ID.AM-1.1: The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems. Statement Unchanged in Profile ver. 2.0 ID.AM-01.01 ID.AM-01.01: The organization maintains a current and complete asset inventory of physical devices, hardware, and information systems.
ID.AM-2.1 ID.AM-2.1: The organization maintains a current and complete inventory of software platforms and business applications. Statement Updated for Profile ver. 2.0 ID.AM-02.01 ID.AM-02.01: The organization maintains a current and complete inventory of software platforms, business applications, and other software assets (e.g., virtual machines and virtual network devices).
ID.AM-3.1 ID.AM-3.1: The organization maintains an inventory of internal assets and business functions, that includes mapping to other assets, business functions, and information flows. Statement Merged with Another Statement for ver. 2.0 GV.OC-04.01 GV.OC-04.01: The organization maintains an inventory of key internal assets, business functions, and external dependencies that includes mappings to other assets, business functions, and information flows.
ID.AM-3.2 ID.AM-3.2: The organization maintains a current and complete inventory of types of data being created, stored, or processed by its information assets. Statement Updated for Profile ver. 2.0 ID.AM-07.01 ID.AM-07.01: The organization maintains a current inventory of the data being created, stored, or processed by its information assets and data flow diagrams depicting key internal and external data flows.
ID.AM-3.3 ID.AM-3.3: The organization's asset inventory includes maps of network resources, as well as connections with external and mobile resources. Statement Updated for Profile ver. 2.0 ID.AM-03.01 ID.AM-03.01: The organization maintains current maps of network resources, mobile resources, external connections, network-connected third parties, and network data flows.
ID.AM-4.1 ID.AM-4.1: The organization maintains an inventory of external information systems. Statement Updated for Profile ver. 2.0 ID.AM-04.01 ID.AM-04.01: Hardware, software, and data assets maintained by or located at suppliers or other third parties are included in asset management inventories and lifecycle management processes as required for effective management and security.
ID.AM-5.1 ID.AM-5.1: The organization implements and maintains a written risk-based policy or policies on data governance and classification, approved by a Senior Officer or the organization's governing body (e.g., the Board or one of its committees). Statement Updated for Profile ver. 2.0 ID.AM-08.03 ID.AM-08.03: The organization establishes policies, standards, and procedures for data governance, data management, and data retention consistent with its legal obligations and the value of data as an organizational asset.
ID.AM-5.2 ID.AM-5.2: The organization's resources (e.g., hardware, devices, data, and software) are prioritized for protection based on their sensitivity/classification, criticality, vulnerability, business value, and importance to the organization. Statement Updated for Profile ver. 2.0 ID.AM-05.02 ID.AM-05.02: The organization's hardware, software, and data assets are prioritized for protection based on their sensitivity, criticality, vulnerability, business value, and dependency role in the delivery of critical services.
ID.AM-6.1 ID.AM-6.1: Roles and responsibilities for the entire cybersecurity workforce and directly managed third-party personnel are established, well-defined and aligned with internal roles and responsibilities. Statement Merged with Another Statement for ver. 2.0 GV.RR-02.01 GV.RR-02.01: The roles, responsibilities, qualifications, and skill requirements for personnel (employees and third parties) that implement, manage, and oversee the technology, cybersecurity, and resilience programs are defined, aligned, coordinated, and holistically managed.
ID.RA-1.1 ID.RA-1.1: The organization's business units identify, assess and document applicable cyber risks and potential vulnerabilities associated with business assets to include workforce, data, technology, facilities, service, and IT connection points for the respective unit. Statement Updated for Profile ver. 2.0 ID.RA-01.01 ID.RA-01.01: The organization identifies, assesses, and documents risks and potential vulnerabilities associated with assets, to include workforce, data, technology, facilities, services, and connections.
ID.RA-2.1 ID.RA-2.1: The organization participates actively (in geopolitical alignment with its business operations) in applicable information-sharing groups and collectives (e.g., cross-industry, cross-government and cross-border groups) to gather, distribute and analyze information about cyber practices, cyber threats and early warning indicators relating to cyber threats. Statement Updated for Profile ver. 2.0 ID.RA-02.01 ID.RA-02.01: The organization participates actively (in alignment with its business operations, inherent risk, and complexity) in information-sharing groups and collectives (e.g., cross-industry, cross-government and cross-border groups) to gather, distribute and analyze information about cyber practices, cyber threats, and early warning indicators relating to cyber threats.
ID.RA-3.1 ID.RA-3.1: The organization identifies, documents, and analyzes threats that are internal and external to the firm. Statement Updated for Profile ver. 2.0 ID.RA-03.01 ID.RA-03.01: The organization, on an ongoing basis, identifies, analyzes, correlates, characterizes, and reports threats that are internal and external to the firm.
ID.RA-3.2 ID.RA-3.2: The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past. Statement Unchanged in Profile ver. 2.0 ID.RA-03.03 ID.RA-03.03: The organization includes in its threat analysis those cyber threats which could trigger extreme but plausible cyber events, even if they are considered unlikely to occur or have never occurred in the past.
ID.RA-3.3 ID.RA-3.3: The organization regularly reviews and updates results of its cyber threat analysis. Statement Updated for Profile ver. 2.0 ID.RA-03.04 ID.RA-03.04: The organization regularly reviews and updates its threat analysis methodology, threat information sources, and supporting tools.
ID.RA-4.1 ID.RA-4.1: The organization's risk assessment approach includes identification of likelihood and potential business impact of applicable cyber risks being exploited. Statement Updated for Profile ver. 2.0 ID.RA-04.01 ID.RA-04.01: The organization's risk assessment approach includes the analysis and characterization of the likelihood and potential business impact of identified risks being realized.
ID.RA-5.1 ID.RA-5.1: Cyber threats, vulnerabilities, likelihoods, and impacts are used to determine overall cyber risk to the organization. Statement Updated for Profile ver. 2.0 ID.RA-05.01 ID.RA-05.01: Threats, vulnerabilities, likelihoods, and impacts are used to determine overall technology, cybersecurity, and resilience risk to the organization.
ID.RA-5.2 ID.RA-5.2: The organization considers threat intelligence received from the organization's participants, service and utility providers and other industry organizations. Statement Updated for Profile ver. 2.0 ID.RA-03.02 ID.RA-03.02: The organization solicits and considers threat intelligence received from the organization's stakeholders, service and utility providers, and other industry and security organizations.
ID.RA-5.3 ID.RA-5.3: The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. Statement Unchanged in Profile ver. 2.0 ID.RA-05.02 ID.RA-05.02: The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed.
ID.RA-5.4 ID.RA-5.4: The organization's business units assess, on an ongoing basis, the cyber risks associated with the activities of the business unit. Statement Updated for Profile ver. 2.0 ID.RA-05.03 ID.RA-05.03: The organization's business units assess, on an ongoing basis, the technology, cybersecurity, and resilience risks associated with the activities of the business unit.
ID.RA-5.5 ID.RA-5.5: The organization tracks connections among assets and cyber risk levels throughout the life cycles of the assets. Statement Merged with Another Statement for ver. 2.0 GV.OC-05.01 GV.OC-05.01: The organization identifies, assesses, and documents the key dependencies, interdependencies, and potential points of failure to support the delivery of critical services (e.g., systems, business processes, workforce, third parties, facilities, etc.)
ID.RA-5.6 ID.RA-5.6: The organization determines ways to aggregate cyber risk to assess the organization's residual cyber risk. Statement Merged with Another Statement for ver. 2.0 GV.OV-02.02 GV.OV-02.02: The organization determines and articulates how it intends to maintain an acceptable level of residual technology and cybersecurity risk as set by the governing authority (e.g., the Board or one of its committees).
ID.RA-6.1 ID.RA-6.1: The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of senior management in a timely manner, so that they can address and respond to emerging cyber risk. Statement Unchanged in Profile ver. 2.0 ID.RA-01.02 ID.RA-01.02: The organization's business units ensure that information regarding cyber risk is shared with the appropriate level of senior management in a timely manner, so that they can address and respond to emerging cyber risk.
ID.RA-6.2 ID.RA-6.2: Independent risk management is required to analyze cyber risk at the enterprise level to identify and ensure effective response to events with the potential to impact one or multiple operating units. Statement Merged with Another Statement for ver. 2.0 GV.RM-05.01 GV.RM-05.01: The organization has a process for monitoring its technology, cybersecurity, and third-party risks, including escalating those risks that exceed risk appetite to management and identifying risks with the potential to impact multiple operating units.
PR.AC-1.1 PR.AC-1.1: Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement and have been authorized. Statement Merged with Another Statement for ver. 2.0 PR.AA-01.02 PR.AA-01.02: Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement, have been authorized, and who are adequately trained and monitored.
PR.AC-1.2 PR.AC-1.2: User access authorization is limited to individuals who are appropriately trained and monitored. Statement Merged with Another Statement for ver. 2.0 PR.AA-01.02 PR.AA-01.02: Physical and logical access to systems is permitted only for individuals who have a legitimate business requirement, have been authorized, and who are adequately trained and monitored.
PR.AC-1.3 PR.AC-1.3: Identities and credentials are actively managed or automated for authorized devices and users (e.g., removal of default and factory passwords, revocation of credentials for users who change roles or leave the organization, etc.). Statement Updated for Profile ver. 2.0 PR.AA-01.01 PR.AA-01.01: Identities and credentials are actively managed or automated for authorized devices and users (e.g., removal of default and factory passwords, password strength requirements, automatic revocation of credentials under defined conditions, regular asset owner access review, etc.).
PR.AC-2.1 PR.AC-2.1: The organization manages and protects physical access to information assets (e.g., session lockout, physical control of server rooms). Statement Updated for Profile ver. 2.0 PR.AA-06.01 PR.AA-06.01: The organization manages, protects, and logs physical access to sensitive areas, devices, consoles, equipment, and network cabling and infrastructure.
PR.AC-3.1 PR.AC-3.1: Remote access is actively managed and restricted to necessary systems. Statement Merged with Another Statement for ver. 2.0 PR.IR-01.05 PR.IR-01.05: Remote access is carefully controlled (e.g., restricted to defined systems, access is actively managed (e.g., session timeouts, logging, forced disconnect, etc.), and encrypted connections with multi-factor authentication are used).
PR.AC-3.2 PR.AC-3.2: The organization implements multi-factor authentication, or at least equally secure access controls for remote access, if it is warranted by applicable risk considerations. Statement Merged with Another Statement for ver. 2.0 PR.IR-01.05 PR.IR-01.05: Remote access is carefully controlled (e.g., restricted to defined systems, access is actively managed (e.g., session timeouts, logging, forced disconnect, etc.), and encrypted connections with multi-factor authentication are used).
PR.AC-4.1 PR.AC-4.1: The organization limits access privileges to the minimum necessary. Statement Updated for Profile ver. 2.0 PR.AA-05.01 PR.AA-05.01: The organization limits access privileges to the minimum necessary and with consideration of separation of duties (e.g., through role-based access control, asset owner access recertifications, etc.).
PR.AC-4.2 PR.AC-4.2: The organization institutes strong controls over privileged system access by strictly limiting and closely supervising staff with elevated system access entitlements. Statement Updated for Profile ver. 2.0 PR.AA-05.02 PR.AA-05.02: The organization institutes controls over privileged system access by strictly limiting and closely managing staff and services with elevated system entitlements (e.g., multi-factor authentication, dual accounts, privilege and time constraints, etc.)
PR.AC-4.3 PR.AC-4.3: The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use. Statement Unchanged in Profile ver. 2.0 PR.AA-05.03 PR.AA-05.03: The organization institutes controls over service account (i.e., accounts used by systems to access other systems) lifecycles to ensure strict security over creation, use, and termination; access credentials (e.g., no embedded passwords in code); frequent reviews of account ownership; visibility for unauthorized use; and hardening against malicious insider use.
PR.AC-5.1 PR.AC-5.1: Networks and systems are segmented to maintain appropriate security. Statement Merged with Another Statement for ver. 2.0 PR.IR-01.01 PR.IR-01.01: Networks, systems, and external connections are segmented (e.g., using firewalls, software-defined networks, guest wireless networks, etc.) to implement defense-in-depth and access isolation principles.
PR.AC-5.2 PR.AC-5.2: The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks). Statement Unchanged in Profile ver. 2.0 PR.IR-01.04 PR.IR-01.04: The organization controls access to its wireless networks and the information that these networks process by implementing appropriate mechanisms (e.g., strong authentication for authentication and transmission, preventing unauthorized devices from connecting to the internal networks, restricting unauthorized traffic, and segregating guest wireless networks).
PR.AC-6.1 PR.AC-6.1: The organization authenticates identity and validates the authorization level of a user before granting access to its systems. Statement Updated for Profile ver. 2.0 PR.AA-02.01 PR.AA-02.01: The organization authenticates identity, validates the authorization level of a user before granting access to its systems, limits the use of an account to a single individual, and attributes activities to the user in logs and transactions.
PR.AC-7.1 PR.AC-7.1: The organization performs a risk assessment for prospective users, devices and other assets which authenticate into its ecosystem with a specific focus on:
(1) The type of data being accessed (e.g., customer PII, public data);
(2) The risk of the transaction (e.g., internal-to-internal, external-to-internal);
(3) The organization's level of trust for the accessing agent (e.g., external application, internal user); and
(4) The potential for harm.
Statement Updated for Profile ver. 2.0 PR.AA-03.02 PR.AA-03.02: Decisions to authorize user access to devices and other assets are made with consideration of:
(1) Business need for the access;
(2) The type of data being accessed (e.g., customer PII, public data);
(3) The risk of the transaction (e.g., internal-to-internal, external-to-internal);
(4) The organization's level of trust for the accessing agent (e.g., external application, internal user); and
(5) The potential for harm.
PR.AC-7.2 PR.AC-7.2: Based on the risk level of a given transaction, the organization has defined and implemented authentication requirements, such as including implementing multi-factor, out-of-band authentication for high risk transactions. Statement Updated for Profile ver. 2.0 PR.AA-03.01 PR.AA-03.01: Based on the risk level of a user access or a specific transaction, the organization defines and implements authentication requirements, which may include multi-factor or out-of-band authentication, and may adopt other real-time risk prevention or mitigation tactics.
PR.AT-1.1 PR.AT-1.1: All personnel (full-time or part-time; permanent, temporary or contract) receive periodic cybersecurity awareness training, as permitted by law. Statement Updated for Profile ver. 2.0 PR.AT-01.01 PR.AT-01.01: All personnel receive cybersecurity awareness training upon hire and on a regular basis.
PR.AT-1.2 PR.AT-1.2: Cybersecurity awareness training includes at a minimum appropriate awareness of and competencies for data protection, detecting and addressing cyber risks, and how to report any unusual activity or incidents. Statement Merged with Another Statement for ver. 2.0 PR.AT-01.02 PR.AT-01.02: Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents.
PR.AT-1.3 PR.AT-1.3: Cybersecurity awareness training is updated on a regular basis to reflect risks identified by the organization in its risk assessment. Statement Updated for Profile ver. 2.0 PR.AT-01.03 PR.AT-01.03: Cybersecurity awareness training is updated on a regular basis to reflect risks and threats identified by the organization, the organization's security policies and standards, applicable laws and regulations, and changes in individual responsibilities.
PR.AT-2.1 PR.AT-2.1: High-risk groups, such as those with privileged system access or in sensitive business functions (including privileged users, senior executives, cybersecurity personnel and third-party stakeholders), receive cybersecurity situational awareness training for their roles and responsibilities. Statement Updated for Profile ver. 2.0 PR.AT-02.02 PR.AT-02.02: High-risk groups, such as those with elevated privileges or in sensitive business functions (including privileged users, senior executives, cybersecurity personnel and third-party stakeholders), receive cybersecurity situational awareness training for their roles and responsibilities.
PR.AT-2.2 PR.AT-2.2: Cybersecurity personnel receive training appropriate for their roles and responsibilities in cybersecurity, including situational awareness training sufficient to maintain current knowledge of cyber threats and countermeasures. Statement Merged with Another Statement for ver. 2.0 PR.AT-02.01 PR.AT-02.01: Mechanisms are in place to ensure that the personnel working with cybersecurity and technology (e.g., developers, DBAs, network admins, etc.) maintain current knowledge and skills related to changing threats, countermeasures, new tools, best practices, and their job responsibilities.
PR.AT-2.3 PR.AT-2.3: A mechanism is in place to verify that key cybersecurity personnel maintain current knowledge of changing cyber threats and countermeasures. Statement Merged with Another Statement for ver. 2.0 PR.AT-02.01 PR.AT-02.01: Mechanisms are in place to ensure that the personnel working with cybersecurity and technology (e.g., developers, DBAs, network admins, etc.) maintain current knowledge and skills related to changing threats, countermeasures, new tools, best practices, and their job responsibilities.
PR.AT-3.1 PR.AT-3.1: The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of their role in cybersecurity, as appropriate. Statement Updated for Profile ver. 2.0 PR.AT-02.06 PR.AT-02.06: The organization has established and maintains a cybersecurity awareness program through which the organization's customers are kept aware of new threats and vulnerabilities, basic cybersecurity hygiene practices, and their role in cybersecurity, as appropriate.
PR.AT-3.2 PR.AT-3.2: Cybersecurity training provided through a third-party service provider or affiliate should be consistent with the organization's cybersecurity policy and program. Statement Not Carried Over to Profile ver. 2.0 None None - Not Carried Over to Profile ver. 2.0
PR.AT-3.3 PR.AT-3.3: Cybersecurity training covers topics designed to minimize risks to or from interconnected parties. Statement Merged with Another Statement for ver. 2.0 PR.AT-01.02 PR.AT-01.02: Cybersecurity awareness training includes, at a minimum, awareness of and competencies for data protection, personal data handling, compliance obligations, working with third parties, detecting cyber risks, and how to report any unusual activity or incidents.
PR.AT-4.1 PR.AT-4.1: The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to:
(1) Evaluate and manage cyber risks;
(2) Promote a culture that recognizes that staff at all levels have important responsibilities in ensuring the organization's cyber resilience; and
(3) Lead by example.
Statement Unchanged in Profile ver. 2.0 PR.AT-02.07 PR.AT-02.07: The organization's governing body (e.g., the Board or one of its committees) and senior management receive cybersecurity situational awareness training to include appropriate skills and knowledge to:
(1) Evaluate and manage cyber risks;
(2) Promote a culture that recognizes that staff at all levels have important responsibilities in ensuring the organization's cyber resilience; and
(3) Lead by example.
PR.AT-4.2 PR.AT-4.2: Where the organization's governing authority (e.g., the Board or one of its committees) does not have adequate cybersecurity expertise, they should have direct access to the senior officer responsible for cybersecurity to discuss cybersecurity related matters. Statement Updated for Profile ver. 2.0 PR.AT-02.08 PR.AT-02.08: Where the organization's governing authority (e.g., the Board or one of its committees) does not have adequate cybersecurity expertise, they should have direct access to the senior officer responsible for cybersecurity and independent sources of expertise to discuss cybersecurity related matters.
PR.AT-5.1 PR.AT-5.1: The individuals who fulfill the organization’s physical and cybersecurity objectives (employees or outsourced) have been informed of their roles and responsibilities. Statement Updated for Profile ver. 2.0 GV.RR-02.05 GV.RR-02.05: Personnel (employees and third parties) who fulfill the organization’s physical security and cybersecurity objectives understand their roles and responsibilities.
PR.DS-1.1 PR.DS-1.1: Data-at-rest is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy. Statement Merged with Another Statement for ver. 2.0 PR.DS-01.01 PR.DS-01.01: Data-at-rest is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, segregation, masking, tokenization, and file integrity monitoring).
PR.DS-1.2 PR.DS-1.2: Controls for data-at-rest include, but are not be restricted to, appropriate encryption, authentication and access control. Statement Merged with Another Statement for ver. 2.0 PR.DS-01.01 PR.DS-01.01: Data-at-rest is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, segregation, masking, tokenization, and file integrity monitoring).
PR.DS-2.1 PR.DS-2.1: Data-in-transit is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy. Statement Merged with Another Statement for ver. 2.0 PR.DS-02.01 PR.DS-02.01: Data-in-transit is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, masking, tokenization, and alternate transit paths).
PR.DS-2.2 PR.DS-2.2: Controls for data-in-transit include, but are not be restricted to, appropriate encryption, authentication and access control. Statement Merged with Another Statement for ver. 2.0 PR.DS-02.01 PR.DS-02.01: Data-in-transit is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, masking, tokenization, and alternate transit paths).
PR.DS-3.1 PR.DS-3.1: The organization has an asset management process in place and assets are formally managed (e.g., in a configuration management database) throughout removal, transfers, end-of-life, and secure disposal or re-use of equipment processes. Statement Updated for Profile ver. 2.0 ID.AM-08.04 ID.AM-08.04: The organization's asset management processes ensure the protection of sensitive data throughout removal, transfers, maintenance, end-of-life, and secure disposal or re-use.
PR.DS-4.1 PR.DS-4.1: The organization maintains appropriate system and network availability, consistent with business requirements and risk assessment. Statement Updated for Profile ver. 2.0 PR.IR-04.02 PR.IR-04.02: Technology availability and capacity is planned, monitored, managed, and optimized to meet business resilience objectives and reasonably anticipated infrastructure demands.
PR.DS-5.1 PR.DS-5.1: The organization implements data loss identification and prevention tools to monitor and protect against confidential data theft or destruction by an employee or an external actor. Statement Unchanged in Profile ver. 2.0 PR.DS-01.02 PR.DS-01.02: The organization implements data loss identification and prevention tools to monitor and protect against confidential data theft or destruction by an employee or an external actor.
PR.DS-6.1 PR.DS-6.1: The organization uses integrity checking mechanisms to verify software, firmware and information integrity, as practicable. Statement Updated for Profile ver. 2.0 DE.CM-09.01 DE.CM-09.01: The organization uses integrity checking mechanisms to verify software, firmware and information integrity and provenance (e.g., checksums, Software Bill of Materials, etc.)
PR.DS-7.1 PR.DS-7.1: The organization's development, testing and acceptance environment(s) are separate from the production environment, and test data is protected and not used in the production environment. Statement Updated for Profile ver. 2.0 PR.IR-01.06 PR.IR-01.06: The organization's production and non-production environments and data are segregated and managed to prevent unauthorized access or changes to the information assets.
PR.DS-8.1 PR.DS-8.1: The organization uses integrity checking mechanisms to verify hardware integrity, as practicable. Statement Updated for Profile ver. 2.0 DE.CM-09.02 DE.CM-09.02: The organization uses integrity checking mechanisms to verify hardware integrity.
PR.IP-1.1 PR.IP-1.1: The organization establishes and maintains baseline system security configuration standards to facilitate consistent application of security settings to designated information assets. Statement Updated for Profile ver. 2.0 PR.PS-01.01 PR.PS-01.01: The organization establishes and maintains standard system security configuration baselines, informed by industry standards and hardening guidelines, to facilitate the consistent application of security settings, configurations, and versions.
PR.IP-1.2 PR.IP-1.2: The organization establishes policies, procedures and tools, such as policy enforcement, device fingerprinting, patch status, operating system version, level of security controls, etc., to manage personnel's mobile devices before allowing access to the organization's network and resources. Statement Updated for Profile ver. 2.0 DE.CM-01.04 DE.CM-01.04: The organization has policies, procedures, and tools in place to monitor for, detect, and block access from/to devices that are not authorized or do not conform to security policy (e.g., unpatched systems).
PR.IP-1.3 PR.IP-1.3: The organization performs regular enforcement checks to ensure that non-compliance with baseline system security standards is promptly rectified. Statement Updated for Profile ver. 2.0 PR.PS-01.03 PR.PS-01.03: The organization employs detection measures and performs regular enforcement checks to ensure that non-compliance with baseline security standards is promptly identified and rectified.
PR.IP-1.4 PR.IP-1.4: The organization documents its requirements for accurate and resilient time services (e.g., synchronization to a mandated or appropriate authoritative time source) and adopts best practice guidance in implementing and using these services for logging, event correlation, forensic analysis, authentication, transactional processing, and other purposes. Statement Unchanged in Profile ver. 2.0 PR.PS-01.04 PR.PS-01.04: The organization documents its requirements for accurate and resilient time services (e.g., synchronization to a mandated or appropriate authoritative time source) and adopts best practice guidance in implementing and using these services for logging, event correlation, forensic analysis, authentication, transactional processing, and other purposes.
PR.IP-2.1 PR.IP-2.1: The organization implements a process for Secure System Development Lifecycle for in-house software design and development. Statement Updated for Profile ver. 2.0 PR.PS-06.01 PR.PS-06.01: The organization implements Secure Systems Development Lifecycle processes for in-house software design, configuration, and development, employing best practices from secure-by-design methodologies (e.g., secure coding, code review, application security testing, etc.) during all phases of both traditional and agile projects.
PR.IP-2.2 PR.IP-2.2: The organization implements a process for evaluating (e.g., assessing or testing) externally developed applications. Statement Updated for Profile ver. 2.0 EX.DD-04.01 EX.DD-04.01: The organization defines and implements procedures for assessing the compatibility, security, integrity, and authenticity of externally-developed or externally-sourced applications, software, software components, and firmware before deployment and upon any major change.
PR.IP-2.3 PR.IP-2.3: The organization assesses the cyber risks of software prior to deployment. Statement Updated for Profile ver. 2.0 PR.PS-06.05 PR.PS-06.05: A software security testing and validation strategy is developed and implemented in the development lifecycle of all software projects, defining testing requirements and plans; performing/automating testing, vulnerability scanning, and migration activities; and supporting code integrity verification (e.g., using digital signatures).
PR.IP-3.1 PR.IP-3.1: The organization's change management process explicitly considers cyber risks, in terms of residual cyber risks identified both prior to and during a change, and of any new cyber risk created post-change. Statement Updated for Profile ver. 2.0 ID.RA-07.01 ID.RA-07.01: The organization defines and implements change management standards and procedures, to include emergency change procedures, that explicitly address risk identified both prior to and during a change, any new risk created post-change, as well as the reviewing and approving authorities (e.g., change advisory boards).
PR.IP-4.1 PR.IP-4.1: The organization designs and tests its systems and processes to enable recovery of accurate data (e.g., material financial transactions) sufficient to support normal operations and obligations following a cybersecurity incident. Statement Merged with Another Statement for ver. 2.0 ID.IM-02.06 ID.IM-02.06: The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives.
PR.IP-4.2 PR.IP-4.2: The organization conducts and maintains backups of information and periodically conduct tests of backups to business assets (including full system recovery) to achieve cyber resilience. Statement Updated for Profile ver. 2.0 PR.DS-11.01 PR.DS-11.01: The organization defines and implements standards and procedures for configuring and performing backups and data replications, including defining backup requirements by data/application/infrastructure criticality, segregating (e.g., air-gapping) and securing backups, verifying backup integrity, and performing backup restoration testing.
PR.IP-4.3 PR.IP-4.3: The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives. Statement Unchanged in Profile ver. 2.0 ID.IM-04.04 ID.IM-04.04: The organization has plans to identify, in a timely manner, the status of all transactions and member positions at the time of a disruption, supported by corresponding recovery point objectives.
PR.IP-4.4 PR.IP-4.4: Recovery point objectives to support data integrity efforts are consistent with the organization's resumption time objective for critical operations. Statement Updated for Profile ver. 2.0 GV.OC-05.04 GV.OC-05.04: Recovery point objectives to support data integrity are consistent with the organization's recovery time objectives, information flow dependencies between systems, and business obligations.
PR.IP-5.1 PR.IP-5.1: Physical and environmental security policies are implemented and managed. Statement Unchanged in Profile ver. 2.0 GV.PO-01.06 GV.PO-01.06: Physical and environmental security policies are implemented and managed.
PR.IP-6.1 PR.IP-6.1: Data is maintained, stored, retained and destroyed according to the organization's data retention policy. Statement Updated for Profile ver. 2.0 ID.AM-08.05 ID.AM-08.05: The organization defines and implements standards and procedures, consistent with its data retention policy, for destroying or securely erasing data, media, and storage devices when the data is no longer needed.
PR.IP-7.1 PR.IP-7.1: A formal process is in place to improve protection processes by integrating lessons learned and responding to changes in the organization's environment. Statement Updated for Profile ver. 2.0 ID.IM-03.01 ID.IM-03.01: A formal process is in place to improve protection controls and processes by integrating recommendations, findings, and lessons learned from exercises, testing, audits, assessments, and incidents.
PR.IP-8.1 PR.IP-8.1: The organization shares appropriate types of information about the effectiveness of its protective measures with appropriate parties. Statement Merged with Another Statement for ver. 2.0 ID.RA-02.02 ID.RA-02.02: The organization shares authorized information on its cyber resilience framework and the effectiveness of protection technologies bilaterally with trusted external stakeholders to promote the understanding of each party’s approach to securing systems.
PR.IP-9.1 PR.IP-9.1: The organization's business continuity, disaster recovery, crisis management and response plans are in place and managed. Statement Updated for Profile ver. 2.0 ID.IM-04.01 ID.IM-04.01: The organization's business continuity, disaster recovery, crisis management, and response plans are in place and managed, aligned with each other, and incorporate considerations of cyber incidents.
PR.IP-9.2 PR.IP-9.2: The organization defines objectives for resumption of critical operations. Statement Merged with Another Statement for ver. 2.0 GV.OC-05.03 GV.OC-05.03: The organization defines objectives (e.g., Recovery Time Objective, Maximum Tolerable Downtime, Impact Tolerance) for the resumption of critical operations in alignment with business imperatives, stakeholder obligations, and critical infrastructure dependencies.
PR.IP-10.1 PR.IP-10.1: The organization establishes testing programs that include a range of scenarios, including severe but plausible scenarios (e.g., disruptive, destructive, corruptive) that could affect the organization's ability to service clients. Statement Updated for Profile ver. 2.0 ID.IM-02.05 ID.IM-02.05: The organization establishes testing programs that include a range of scenarios, including severe but plausible scenarios (e.g., disruptive, destructive, corruptive), that could affect the organization's ability to service internal and external stakeholders.
PR.IP-10.2 PR.IP-10.2: The organization's testing program validates the effectiveness of its cyber resilience framework on a regular basis. Statement Merged with Another Statement for ver. 2.0 ID.IM-02.04 ID.IM-02.04: The organization's testing program validates the effectiveness of its resilience strategy and response, disaster recovery, and resumption plans on a regular basis or upon major changes to business or system functions, and includes external stakeholders as required.
PR.IP-10.3 PR.IP-10.3: The organization's governing body (e.g., the Board or one of its committees) is involved in testing as part of a crisis management team and is informed of test results. Statement Updated for Profile ver. 2.0 ID.IM-02.07 ID.IM-02.07: The organization's governing body (e.g., the Board or one of its committees) and senior management are involved in testing as part of a crisis management team and are informed of test results.
PR.IP-10.4 PR.IP-10.4: The organization promotes, designs, organizes and manages testing exercises designed to test its response, resumption and recovery plans and processes. Statement Merged with Another Statement for ver. 2.0 ID.IM-02.04 ID.IM-02.04: The organization's testing program validates the effectiveness of its resilience strategy and response, disaster recovery, and resumption plans on a regular basis or upon major changes to business or system functions, and includes external stakeholders as required.
PR.IP-11.1 PR.IP-11.1: The organization conducts background/screening checks on all new employees, as permitted by law. Statement Merged with Another Statement for ver. 2.0 GV.RR-04.01 GV.RR-04.01: The organization conducts (or causes the conduct of) background/screening checks on all personnel (employees and third party) upon hire/retention, at regular intervals throughout employment, and upon a change in role commensurate with their access to critical data and systems.
PR.IP-11.2 PR.IP-11.2: The organization conducts background/screening checks on all staff at regular intervals throughout their employment, commensurate with staff’s access to critical systems or a change in role, as permitted by law. Statement Merged with Another Statement for ver. 2.0 GV.RR-04.01 GV.RR-04.01: The organization conducts (or causes the conduct of) background/screening checks on all personnel (employees and third party) upon hire/retention, at regular intervals throughout employment, and upon a change in role commensurate with their access to critical data and systems.
PR.IP-11.3 PR.IP-11.3: The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law. Statement Updated for Profile ver. 2.0 GV.RR-04.02 GV.RR-04.02: The organization establishes processes and controls to mitigate cyber risks related to employment termination, as permitted by law, to include the return or disposition of all organizational assets.
PR.IP-12.1 PR.IP-12.1: The organization establishes and maintains capabilities for ongoing vulnerability management, including systematic scans or reviews reasonably designed to identify publicly known cyber vulnerabilities in the organization based on the risk assessment. Statement Merged with Another Statement for ver. 2.0 ID.RA-01.03 ID.RA-01.03: The organization establishes and maintains standards and capabilities for ongoing vulnerability management, including systematic scans, or reviews reasonably designed to identify known cyber vulnerabilities and upgrade opportunities, across the organization's environments and assets.
PR.IP-12.2 PR.IP-12.2: The organization establishes a process to prioritize and remedy issues identified through vulnerability scanning. Statement Updated for Profile ver. 2.0 ID.RA-06.05 ID.RA-06.05: The organization defines and implements standards and procedures to prioritize and remediate issues identified in vulnerability scanning or penetration testing, including emergency or zero-day threats and vulnerabilities.
PR.IP-12.3 PR.IP-12.3: The organization has a formal exception management process for vulnerabilities that cannot be mitigated due to business-related exceptions. Statement Updated for Profile ver. 2.0 ID.RA-07.05 ID.RA-07.05: The organization establishes and maintains an exception management process for identified vulnerabilities that cannot be mitigated within target timeframes.
PR.IP-12.4 PR.IP-12.4: The organization ensures that a process exists and is implemented to identify patches to technology assets, evaluate patch criticality and risk, and test and apply the patch within an appropriate time frame. Statement Updated for Profile ver. 2.0 PR.PS-02.01 PR.PS-02.01: The organization defines and implements controls to identify patches to technology assets, assess patch criticality and risk, test patches, and apply patches within risk/criticality-based target time frames.
PR.MA-1.1 PR.MA-1.1: Policies, standards and procedures for the maintenance of assets include, but are not limited to, physical entry controls, equipment maintenance and removal of assets. Statement Merged with Another Statement for ver. 2.0 PR.PS-03.01 PR.PS-03.01: The organization defines and implements controls for the on-site and remote maintenance and repair of the organization's technology assets (e.g., work must be performed by authorized personnel, use of approved procedures and tools, use of original or vendor-approved spare parts).
PR.MA-2.1 PR.MA-2.1: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access. Statement Merged with Another Statement for ver. 2.0 PR.PS-03.01 PR.PS-03.01: The organization defines and implements controls for the on-site and remote maintenance and repair of the organization's technology assets (e.g., work must be performed by authorized personnel, use of approved procedures and tools, use of original or vendor-approved spare parts).
PR.PT-1.1 PR.PT-1.1: The organization's audit trails are designed to detect cybersecurity events that may materially harm normal operations of the organization. Statement Merged with Another Statement for ver. 2.0 PR.PS-04.01 PR.PS-04.01: The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods.
PR.PT-1.2 PR.PT-1.2: The organization's activity logs and other security event logs are reviewed and are retained in a secure manner for an appropriate amount of time. Statement Updated for Profile ver. 2.0 PR.PS-04.03 PR.PS-04.03: The organization's activity logs and other security event logs are generated, reviewed, securely stored, and retained in accordance with data retention obligations and established standards.
PR.PT-2.1 PR.PT-2.1: The organization's removable media and mobile devices are protected and use is restricted according to policy. Statement Updated for Profile ver. 2.0 PR.DS-01.03 PR.DS-01.03: The organization defines and implements controls for the protection and use of removable media (e.g., access/use restrictions, encryption, malware scanning, data loss prevention, etc.)
PR.PT-3.1 PR.PT-3.1: The organization's systems are configured to provide only essential capabilities to implement the principle of least functionality. Statement Unchanged in Profile ver. 2.0 PR.PS-01.02 PR.PS-01.02: The organization's systems are configured to provide only essential capabilities to implement the principle of least functionality.
PR.PT-4.1 PR.PT-4.1: The organization's communications and control networks are protected through applying defense-in-depth principles (e.g., network segmentation, firewalls, physical access controls to network equipment, etc.). Statement Merged with Another Statement for ver. 2.0 PR.IR-01.01 PR.IR-01.01: Networks, systems, and external connections are segmented (e.g., using firewalls, software-defined networks, guest wireless networks, etc.) to implement defense-in-depth and access isolation principles.
PR.PT-5.1 PR.PT-5.1: The organization implements mechanisms (e.g., failsafe, load balancing, hot swap) to achieve resilience requirements in normal and adverse situations. Statement Updated for Profile ver. 2.0 PR.IR-03.01 PR.IR-03.01: The organization implements mechanisms (e.g., failsafe, load balancing, hot swaps, redundant equipment, alternate services, backup facilities, etc.) to achieve resilience requirements in normal and adverse situations.
DE.AE-1.1 DE.AE-1.1: The organization identifies, establishes, documents and manages a baseline mapping of network resources, expected connections and data flows. Statement Updated for Profile ver. 2.0 PR.IR-04.01 PR.IR-04.01: Baseline measures of network and system utilization and transaction activity are captured to support capacity planning and anomalous activity detection.
DE.AE-2.1 DE.AE-2.1: The organization performs timely collection of relevant data, as well as advanced and automated analysis (including use of security tools such as antivirus, IDS/IPS) on the detected events to:
(1) Assess and understand the nature, scope and method of the attack;
(2) Predict and block a similar future attack; and
(3) Report timely risk metrics.
Statement Updated for Profile ver. 2.0 DE.AE-02.01 DE.AE-02.01: The organization performs timely collection of event data, as well as advanced and automated analysis (including the use of security tools such as antivirus and IDS/IPS) on the detected events to:
(1) Assess and understand the nature, scope and method of the attack;
(2) Predict and block a similar future attack; and
(3) Report timely risk metrics.
DE.AE-3.1 DE.AE-3.1: The organization has a capability to collect, analyze, and correlate events data across the organization in order to predict, analyze, and respond to changes in the operating environment. Statement Merged with Another Statement for ver. 2.0 DE.AE-03.02 DE.AE-03.02: The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks.
DE.AE-3.2 DE.AE-3.2: The organization deploys tools, as appropriate, to perform real-time central aggregation and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence from multiple sources, including both internal and external sources, to better detect and prevent multifaceted cyber attacks. Statement Merged with Another Statement for ver. 2.0 DE.AE-03.02 DE.AE-03.02: The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks.
DE.AE-4.1 DE.AE-4.1: The organization has a documented process in place to analyze the impact of a material cybersecurity incident (including the financial impact) on the organization as well as across the financial sector, as appropriate, per organization's size, scope, and complexity and its role in the financial sector. Statement Updated for Profile ver. 2.0 DE.AE-04.01 DE.AE-04.01: The organization has a documented process to analyze and triage incidents to assess root cause, technical impact, mitigation priority, and business impact on the organization, as well as across the financial sector and other third party stakeholders.
DE.AE-5.1 DE.AE-5.1: The organization establishes and documents cyber event alert parameters and thresholds as well as rule-based triggers for an automated response within established parameters when known attack patterns, signatures or behaviors are detected. Statement Updated for Profile ver. 2.0 DE.AE-02.02 DE.AE-02.02: The organization establishes, documents, and regularly reviews event alert parameters and thresholds, as well as rule-based triggers to support automated responses, when known attack patterns, signatures or behaviors are detected.
DE.CM-1.1 DE.CM-1.1: The organization establishes relevant system logging policies that include the types of logs to be maintained and their retention periods. Statement Merged with Another Statement for ver. 2.0 PR.PS-04.01 PR.PS-04.01: The organization establishes and regularly reviews log management standards and practices, to include the types of events to be detected, log content, security and access considerations, monitoring protocols, integrity checking mechanisms, and retention periods.
DE.CM-1.2 DE.CM-1.2: The organization implements systematic and real-time logging, monitoring, detecting, and alerting measures across multiple layers of the organization's infrastructure (covering physical perimeters, network, operating systems, applications and data). Statement Updated for Profile ver. 2.0 DE.AE-03.01 DE.AE-03.01: The organization implements systematic and real-time logging, collection, monitoring, detection, and alerting measures across multiple layers of the organization's infrastructure, including physical perimeters, network, operating systems, applications, data, and external (cloud and outsourced) environments, sufficient to protect the organization's information assets.
DE.CM-1.3 DE.CM-1.3: The organization deploys an intrusion detection and intrusion prevention capabilities to detect and prevent a potential network intrusion in its early stages for timely containment and recovery. Statement Updated for Profile ver. 2.0 DE.CM-01.01 DE.CM-01.01: The organization deploys intrusion detection and intrusion prevention capabilities to detect and prevent a potential network intrusion in its early stages for timely containment and recovery.
DE.CM-1.4 DE.CM-1.4: The organization implements mechanisms, such as alerting and filtering sudden high volume and suspicious incoming traffic, to prevent (Distributed) Denial of Services (DoS/DDoS) attacks. Statement Updated for Profile ver. 2.0 DE.CM-01.02 DE.CM-01.02: The organization implements mechanisms, such as alerting and filtering of sudden high volumes and suspicious incoming traffic, to detect and mitigate Denial of Service, "bot", and credential stuffing attacks.
DE.CM-2.1 DE.CM-2.1: The organization's controls include monitoring and detection of anomalous activities and potential cybersecurity events across the organization's physical environment and infrastructure, including unauthorized physical access to high-risk or confidential systems. Statement Updated for Profile ver. 2.0 DE.CM-02.01 DE.CM-02.01: The organization's controls include monitoring and detection of anomalous activities and potential intrusion events across the organization's physical environment and infrastructure, including the detection of environmental threats (fire, water, service outages, etc.) and unauthorized physical access to high-risk system components and locations.
DE.CM-3.1 DE.CM-3.1: The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events. Statement Unchanged in Profile ver. 2.0 DE.CM-03.02 DE.CM-03.02: The organization's controls actively monitor personnel (both authorized and unauthorized) for access, authentication, usage, connections, devices, and anomalous behavior to rapidly detect potential cybersecurity events.
DE.CM-3.2 DE.CM-3.2: The organization performs logging and reviewing of the systems activities of privileged users, and monitoring for anomalies is implemented. Statement Updated for Profile ver. 2.0 DE.CM-03.03 DE.CM-03.03: The organization logs and reviews the activities of privileged users and accounts, and monitoring for anomalous behaviors is implemented.
DE.CM-3.3 DE.CM-3.3: The organization conducts periodic cyber attack simulations to detect control gaps in employee behavior, policies, procedures and resources. Statement Merged with Another Statement for ver. 2.0 ID.RA-05.04 ID.RA-05.04: The organization uses scenario planning, table-top-exercises, or similar event analysis techniques to identify vulnerabilities and determine potential impacts to critical infrastructure, technology, and business processes.
DE.CM-4.1 DE.CM-4.1: The organization implements and manages appropriate tools to detect and block malware from infecting networks and systems. Statement Updated for Profile ver. 2.0 PR.PS-05.01 PR.PS-05.01: The organization has policies, procedures, and tools in place to detect and block malware from infecting networks and systems, including automatically updating malware signatures and behavior profiles on all endpoints.
DE.CM-4.2 DE.CM-4.2: The organization implements email protection mechanisms to automatically scan, detect, and protect from any attached malware or malicious links present in the email. Statement Updated for Profile ver. 2.0 PR.PS-05.03 PR.PS-05.03: The organization has policies, procedures, and tools in place to detect, isolate, and block the use of attached malware or malicious links present in email or message services.
DE.CM-5.1 DE.CM-5.1: The organization implements safeguards against mobile malware and attacks for mobile devices connecting to corporate network and accessing corporate data (e.g., anti-virus, timely patch deployment, etc.). Statement Updated for Profile ver. 2.0 PR.PS-05.02 PR.PS-05.02: The organization implements safeguards against unauthorized mobile code (e.g., JavaScript, ActiveX, VBScript, PowerShell, etc.) on mobile, end point, and server systems.
DE.CM-6.1 DE.CM-6.1: The organization authorizes and monitors all third-party connections. Statement Updated for Profile ver. 2.0 DE.CM-06.01 DE.CM-06.01: The organization reviews, documents, authorizes, and monitors all third-party connections, data transfer mechanisms, and Application Programming Interfaces (APIs).
DE.CM-6.2 DE.CM-6.2: The organization collaborates with third-party service providers to maintain and improve the security of external connections. Statement Updated for Profile ver. 2.0 EX.MM-02.03 EX.MM-02.03: The organization collaborates with suppliers to maintain and improve the secure use of products, services, and external connections.
DE.CM-6.3 DE.CM-6.3: The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider. Statement Unchanged in Profile ver. 2.0 DE.CM-06.02 DE.CM-06.02: The organization implements an explicit approval and logging process and sets up automated alerts to monitor and prevent any unauthorized access to a critical system by a third-party service provider.
DE.CM-7.1 DE.CM-7.1: The organization implements appropriate controls to prevent use of unsupported and unauthorized software. Statement Merged with Another Statement for ver. 2.0 DE.CM-09.03 DE.CM-09.03: The organization has policies, procedures, and tools in place to monitor for, detect, and block the use of unsupported or unauthorized software, hardware, or configuration changes.
DE.CM-7.2 DE.CM-7.2: The organization has policies, procedures and adequate tools in place to monitor, detect, and block access from/to devices, connections, and data transfers. Statement Updated for Profile ver. 2.0 DE.CM-01.03 DE.CM-01.03: The organization has policies, procedures, and tools in place to monitor for, detect, and block unauthorized network connections and data transfers.
DE.CM-7.3 DE.CM-7.3: The organization sets up automatic and real-time alerts when an unauthorized software, hardware or configuration change occurs. Statement Merged with Another Statement for ver. 2.0 DE.CM-09.03 DE.CM-09.03: The organization has policies, procedures, and tools in place to monitor for, detect, and block the use of unsupported or unauthorized software, hardware, or configuration changes.
DE.CM-7.4 DE.CM-7.4: The organization implements web-filtering tools and technology to block access to inappropriate or malicious websites. Statement Updated for Profile ver. 2.0 DE.CM-01.05 DE.CM-01.05: The organization implements measures to detect and block access to unauthorized, inappropriate, or malicious websites and services (e.g. social media, messaging, file sharing).
DE.CM-8.1 DE.CM-8.1: The organization conducts periodic vulnerability scanning, including automated scanning across all environments to identify potential system vulnerabilities, including publicly known vulnerabilities, upgrade opportunities, and new defense layers. Statement Merged with Another Statement for ver. 2.0 ID.RA-01.03 ID.RA-01.03: The organization establishes and maintains standards and capabilities for ongoing vulnerability management, including systematic scans, or reviews reasonably designed to identify known cyber vulnerabilities and upgrade opportunities, across the organization's environments and assets.
DE.CM-8.2 DE.CM-8.2: The organization conducts, either by itself or by an independent third-party, periodic penetration testing and red team testing on the organization's network, internet-facing applications or systems, and critical applications to identify gaps in cybersecurity defenses. Statement Updated for Profile ver. 2.0 ID.IM-02.01 ID.IM-02.01: The organization conducts regular, independent penetration testing and red team testing on the organization's network, internet-facing systems, critical applications, and associated controls to identify gaps in cybersecurity defenses.
DE.DP-1.1 DE.DP-1.1: The organization has established and assigned roles and responsibilities for systematic monitoring and reporting processes. Statement Updated for Profile ver. 2.0 GV.RR-02.02 GV.RR-02.02: The organization has established and assigned roles and responsibilities for systematic cybersecurity threat identification, monitoring, detection, and event reporting processes, and ensures adequate coverage and organizational alignment for these functions.
DE.DP-2.1 DE.DP-2.1: The organization's monitoring and detection processes comply with all applicable requirements. Statement Not Carried Over to Profile ver. 2.0 None None - Not Carried Over to Profile ver. 2.0
DE.DP-3.1 DE.DP-3.1: The organization establishes a comprehensive testing program to conduct periodic and proactive testing and validation of the effectiveness of the organization's incident detection processes and controls. Statement Merged with Another Statement for ver. 2.0 ID.IM-02.03 ID.IM-02.03: The organization tests and validates the effectiveness of the incident detection, reporting, and communication processes and protocols with internal and external stakeholders.
DE.DP-4.1 DE.DP-4.1: The organization has established processes and protocols to communicate, alert and periodically report detected potential cyber attacks and incident information including its corresponding analysis and cyber threat intelligence to internal and external stakeholders. Statement Updated for Profile ver. 2.0 DE.AE-06.01 DE.AE-06.01: The organization has established processes and protocols to communicate, alert, and regularly report potential cyber attacks and incident information, including its corresponding analysis and cyber threat intelligence, to authorized internal and external stakeholders.
DE.DP-4.2 DE.DP-4.2: The organization tests and validates the effectiveness of the incident reporting and communication processes and protocols with internal and external stakeholders. Statement Merged with Another Statement for ver. 2.0 ID.IM-02.03 ID.IM-02.03: The organization tests and validates the effectiveness of the incident detection, reporting, and communication processes and protocols with internal and external stakeholders.
DE.DP-5.1 DE.DP-5.1: The organization establishes a systematic and comprehensive program to periodically evaluate and improve the monitoring and detection processes and controls, as well as incorporate the lessons learned, as the threat landscape evolves. Statement Updated for Profile ver. 2.0 ID.IM-03.02 ID.IM-03.02: The organization establishes a systematic and comprehensive program to regularly evaluate and improve its monitoring and detection processes and controls as the threat environment changes, tools and techniques evolve, and lessons are learned.
RS.RP-1.1 RS.RP-1.1: The organization's response plans are in place and executed during or after an incident. Statement Updated for Profile ver. 2.0 RS.MA-01.01 RS.MA-01.01: The organization's response plans are in place and executed during or after an incident, to include coordination with relevant third parties and engagement of third-party incident support services.
RS.CO-1.1 RS.CO-1.1: The organization's incident response plan contains clearly defined roles, responsibilities and levels of decision-making authority. Statement Updated for Profile ver. 2.0 ID.IM-04.02 ID.IM-04.02: The organization's incident response and business continuity plans contain clearly defined roles, responsibilities, and levels of decision-making authority, and include all needed areas of participation and expertise across the organization and key third-parties.
RS.CO-1.2 RS.CO-1.2: The organization ensures cyber threat intelligence is made available to appropriate staff with responsibility for the mitigation of cyber risks at the strategic, tactical and operational levels within the organization. Statement Updated for Profile ver. 2.0 RS.CO-03.01 RS.CO-03.01: The organization ensures that cyber threat intelligence is made available, in a secure manner, to authorized staff with responsibility for the mitigation of cyber risks at the strategic, tactical and operational levels within the organization.
RS.CO-1.3 RS.CO-1.3: The organization's personnel know their roles and responsibilities and order of operations when a response is needed. Statement Updated for Profile ver. 2.0 PR.AT-02.03 PR.AT-02.03: All personnel (employee and third party) are made aware of and are trained for their role and operational steps in response and recovery plans.
RS.CO-2.1 RS.CO-2.1: The organization's incident response plan describes how to appropriately document and report cyber events and related incident response activities. Statement Updated for Profile ver. 2.0 RS.MA-05.01 RS.MA-05.01: The organization's incident response plans define severity levels and associated criteria for initiating response plans and escalating event response to appropriate stakeholders and management levels.
RS.CO-2.2 RS.CO-2.2: In the event of a cybersecurity incident, the organization notifies appropriate stakeholders including, as required, government bodies, self-regulatory agencies or any other supervisory bodies. Statement Updated for Profile ver. 2.0 RS.CO-02.02 RS.CO-02.02: In the event of an incident, the organization notifies impacted stakeholders including, as required, government bodies, self-regulatory agencies and/or other supervisory bodies, within required timeframes.
RS.CO-2.3 RS.CO-2.3: The organization's incident response program includes effective escalation protocols linked to organizational decision levels and communication strategies, including which types of information will be shared, with whom (e.g., the organization's appropriate governing authority and senior management), and how information provided to the organization will be acted upon. Statement Updated for Profile ver. 2.0 RS.CO-02.01 RS.CO-02.01: The organization's incident response program includes defined and approved escalation protocols, linked to organizational decision levels and communication strategies, including which types of information will be shared, with whom (e.g., the organization's governing authority and senior management), and how information provided to the organization will be acted upon.
RS.CO-2.4 RS.CO-2.4: The organization's reporting requirements and capabilities are consistent with information-sharing arrangements within the organization's communities and the financial sector. Statement Merged with Another Statement for ver. 2.0 RS.CO-03.02 RS.CO-03.02: In the event of an incident, the organization shares authorized information, in a defined manner and through trusted channels, to facilitate the detection, response, resumption and recovery of its own systems and those of other partners and critical sector participants.
RS.CO-3.1 RS.CO-3.1: Information is shared consistent with response plans. Statement Merged with Another Statement for ver. 2.0 RS.CO-03.02 RS.CO-03.02: In the event of an incident, the organization shares authorized information, in a defined manner and through trusted channels, to facilitate the detection, response, resumption and recovery of its own systems and those of other partners and critical sector participants.
RS.CO-3.2 RS.CO-3.2: In the event of a cybersecurity incident, the organization shares information in an appropriate manner that could facilitate the detection, response, resumption and recovery of its own systems and those of other financial sector participants through trusted channels. Statement Merged with Another Statement for ver. 2.0 RS.CO-03.02 RS.CO-03.02: In the event of an incident, the organization shares authorized information, in a defined manner and through trusted channels, to facilitate the detection, response, resumption and recovery of its own systems and those of other partners and critical sector participants.
RS.CO-4.1 RS.CO-4.1: The organization has a plan to coordinate and communicate with internal and external stakeholders during or following a cyber attack as appropriate. Statement Updated for Profile ver. 2.0 RS.CO-02.03 RS.CO-02.03: The organization maintains and regularly tests incident response communication procedures, with associated contact lists, call trees, and automatic notifications, to quickly coordinate and communicate with internal and external stakeholders during or following an incident.
RS.CO-5.1 RS.CO-5.1: The organization actively participates in multilateral information-sharing arrangements to facilitate a sector-wide response to large-scale incidents. Statement Merged with Another Statement for ver. 2.0 RS.CO-03.02 RS.CO-03.02: In the event of an incident, the organization shares authorized information, in a defined manner and through trusted channels, to facilitate the detection, response, resumption and recovery of its own systems and those of other partners and critical sector participants.
RS.CO-5.2 RS.CO-5.2: The organization shares information on its cyber resilience framework bilaterally with trusted external stakeholders to promote understanding of each other’s approach to securing systems that are linked or interfaced. Statement Merged with Another Statement for ver. 2.0 ID.RA-02.02 ID.RA-02.02: The organization shares authorized information on its cyber resilience framework and the effectiveness of protection technologies bilaterally with trusted external stakeholders to promote the understanding of each party’s approach to securing systems.
RS.CO-5.3 RS.CO-5.3: The organization maintains ongoing situational awareness of its operational status and cybersecurity posture to pre-empt cyber events and respond rapidly to them. Statement Merged with Another Statement for ver. 2.0 DE.AE-03.02 DE.AE-03.02: The organization performs real-time central analysis, aggregation, and correlation of anomalous activities, network and system alerts, and relevant event and cyber threat intelligence, including both internal and external (cloud and outsourced) environments, to better detect and prevent multifaceted cyber attacks.
RS.AN-1.1 RS.AN-1.1: Tools and processes are in place to ensure timely detection, alert, and activation of the incident response program. Statement Updated for Profile ver. 2.0 RS.MA-02.01 RS.MA-02.01: Tools and processes are in place to ensure timely detection, inspection, assessment, and analysis of security event data for reliable activation of incident response processes.
RS.AN-2.1 RS.AN-2.1: The organization uses cyber-attack scenarios to determine potential impact to critical business processes. Statement Merged with Another Statement for ver. 2.0 ID.RA-05.04 ID.RA-05.04: The organization uses scenario planning, table-top-exercises, or similar event analysis techniques to identify vulnerabilities and determine potential impacts to critical infrastructure, technology, and business processes.
RS.AN-2.2 RS.AN-2.2: The organization performs a thorough investigation to determine the nature of a cyber event, its extent, and the damage inflicted. Statement Updated for Profile ver. 2.0 RS.AN-03.01 RS.AN-03.01: The organization performs a thorough investigation to determine the nature and scope of an event, possible root causes, and the potential damage inflicted.
RS.AN-3.1 RS.AN-3.1: The organization has the capability to assist in or conduct forensic investigations of cybersecurity incidents and engineer protective and detective controls to facilitate the investigative process. Statement Updated for Profile ver. 2.0 RS.AN-06.01 RS.AN-06.01: The organization establishes a risk-based approach and procedures for quarantining systems, conducting investigations, and collecting and preserving evidence per best practices and forensic standards.
RS.AN-4.1 RS.AN-4.1: The organization categorizes and prioritizes cybersecurity incident response consistent with response plans and criticality of systems to the enterprise. Statement Updated for Profile ver. 2.0 RS.MA-03.01 RS.MA-03.01: The organization categorizes and prioritizes cybersecurity incident response consistent with response plans and criticality of systems and services to the enterprise.
RS.AN-5.1 RS.AN-5.1: The organization has established enterprise processes for receiving and appropriately channeling vulnerability disclosures from:
(1) Public sources (e.g., security researchers);
(2) Vulnerability sharing forums (e.g., FS-ISAC); and
(3) Third-parties (e.g., cloud vendors);
(4) Internal sources (e.g., development teams).
Statement Updated for Profile ver. 2.0 ID.RA-08.01 ID.RA-08.01: The organization has established enterprise processes for soliciting, receiving and appropriately channeling vulnerability disclosures from:
(1) Public sources (e.g., customers and security researchers);
(2) Vulnerability sharing forums (e.g., FS-ISAC); and
(3) Third-parties (e.g., cloud vendors);
(4) Internal sources (e.g., development teams).
RS.AN-5.2 RS.AN-5.2: The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on:
(1) Determining its validity;
(2) Aassessing its scope (e.g., affected assets);
(3) Determining it's severity and impact;
(4) Identifying affected stakeholders or customers; and
(5) Analyzing options to respond.
Statement Updated for Profile ver. 2.0 ID.RA-08.02 ID.RA-08.02: The organization has established enterprise processes to analyze disclosed vulnerabilities with a focus on:
(1) Determining its validity;
(2) Assessing its scope (e.g., affected assets);
(3) Determining it's severity and impact;
(4) Identifying affected stakeholders or customers; and
(5) Analyzing options to respond.
RS.AN-5.3 RS.AN-5.3: The organization has established processes to implement vulnerability mitigation plans, as well as validate their completion and effectiveness. Statement Merged with Another Statement for ver. 2.0 RS.MI-01.01 RS.MI-01.01: The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner.
RS.MI-1.1 RS.MI-1.1: The organization contains cybersecurity incidents in a timely manner. Statement Merged with Another Statement for ver. 2.0 RS.MI-01.01 RS.MI-01.01: The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner.
RS.MI-1.2 RS.MI-1.2: The organization's procedures include containment strategies and notifying potentially impacted third-parties, as appropriate. Statement Merged with Another Statement for ver. 2.0 RS.MI-01.01 RS.MI-01.01: The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner.
RS.MI-2.1 RS.MI-2.1: The organization mitigates cybersecurity incidents in a timely manner. Statement Merged with Another Statement for ver. 2.0 RS.MI-01.01 RS.MI-01.01: The organization has established processes to implement vulnerability mitigation plans, involve third-party partners and outside expertise as needed, and contain incidents in a timely manner.
RS.MI-3.1 RS.MI-3.1: The organization's incident response plan identifies requirements for the remediation of any identified weaknesses in systems and associated controls. Statement Merged with Another Statement for ver. 2.0 ID.RA-06.06 ID.RA-06.06: The organization follows documented procedures, consistent with established risk response processes, for mitigating or accepting the risk of vulnerabilities or weaknesses identified in exercises and testing or when responding to incidents.
RS.MI-3.2 RS.MI-3.2: Vulnerabilities identified as a result of a cybersecurity incident are mitigated or documented by the organization as accepted risks and monitored. Statement Merged with Another Statement for ver. 2.0 ID.RA-06.06 ID.RA-06.06: The organization follows documented procedures, consistent with established risk response processes, for mitigating or accepting the risk of vulnerabilities or weaknesses identified in exercises and testing or when responding to incidents.
RS.IM-1.1 RS.IM-1.1: The organization's incident response plans are actively updated based on current cyber threat intelligence, information-sharing and lessons learned following a cyber event. Statement Merged with Another Statement for ver. 2.0 ID.IM-04.08 ID.IM-04.08: The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on:
(1) Lessons learned from incidents that have occurred (both internal and external to the organization);
(2) Current cyber threat intelligence (both internal and external sources);
(3) Recent and wide-scale cyber attack scenarios;
(4) Operationally and technically plausible future cyber attacks;
(5) Organizational or technical environment changes; and,
(6) New technological developments.
RS.IM-1.2 RS.IM-1.2: The results of the testing program are used by the organization to support ongoing improvement of its cyber resilience. Statement Merged with Another Statement for ver. 2.0 ID.IM-04.08 ID.IM-04.08: The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on:
(1) Lessons learned from incidents that have occurred (both internal and external to the organization);
(2) Current cyber threat intelligence (both internal and external sources);
(3) Recent and wide-scale cyber attack scenarios;
(4) Operationally and technically plausible future cyber attacks;
(5) Organizational or technical environment changes; and,
(6) New technological developments.
RS.IM-1.3 RS.IM-1.3: The organization's cyber resilience and incident response programs have processes in place to incorporate lessons learned from cyber events that have occurred within and outside the organization. Statement Merged with Another Statement for ver. 2.0 ID.IM-04.08 ID.IM-04.08: The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on:
(1) Lessons learned from incidents that have occurred (both internal and external to the organization);
(2) Current cyber threat intelligence (both internal and external sources);
(3) Recent and wide-scale cyber attack scenarios;
(4) Operationally and technically plausible future cyber attacks;
(5) Organizational or technical environment changes; and,
(6) New technological developments.
RS.IM-2.1 RS.IM-2.1: The organization periodically reviews response strategy and exercises and updates them as necessary, based on:
(1) Lessons learned from cybersecurity incidents that have occurred (both within and outside the organization);
(2) Current cyber threat intelligence (both internal and external sources);
(3) Recent and wide-scale cyber attack scenarios;
(4) Operationally and technically plausible future cyber attacks; and
(5) New technological developments.
Statement Merged with Another Statement for ver. 2.0 ID.IM-04.08 ID.IM-04.08: The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on:
(1) Lessons learned from incidents that have occurred (both internal and external to the organization);
(2) Current cyber threat intelligence (both internal and external sources);
(3) Recent and wide-scale cyber attack scenarios;
(4) Operationally and technically plausible future cyber attacks;
(5) Organizational or technical environment changes; and,
(6) New technological developments.
RC.RP-1.1 RC.RP-1.1: The organization executes its recovery plans, including incident recovery, disaster recovery and business continuity plans, during or after an incident to resume operations. Statement Updated for Profile ver. 2.0 RC.RP-01.01 RC.RP-01.01: The organization executes its recovery plans, including incident recovery, disaster recovery, and business continuity plans, during or after an incident to resume operations.
RC.RP-1.2 RC.RP-1.2: Organization's recovery plans are executed by first resuming critical services and core business functions, and without causing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications. Statement Merged with Another Statement for ver. 2.0 RC.RP-02.02 RC.RP-02.02: Recovery plans are executed by first resuming critical services and core business functions, while minimizing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications.
RC.RP-1.3 RC.RP-1.3: The recovery plan includes a minimum recovery time for the sector critical systems. Statement Merged with Another Statement for ver. 2.0 GV.OC-05.03 GV.OC-05.03: The organization defines objectives (e.g., Recovery Time Objective, Maximum Tolerable Downtime, Impact Tolerance) for the resumption of critical operations in alignment with business imperatives, stakeholder obligations, and critical infrastructure dependencies.
RC.RP-1.4 RC.RP-1.4: The recovery plan includes recovery of clearing and settlement activities after a wide-scale disruption with the overall goal of completing material pending transactions on the scheduled settlement date. Statement Merged with Another Statement for ver. 2.0 ID.IM-02.06 ID.IM-02.06: The organization designs and tests its systems and processes, and employs third-party support resources (e.g., Sheltered Harbor), to enable recovery of accurate data (e.g., material financial transactions) sufficient to support defined business recovery time and recovery point objectives.
RC.RP-1.5 RC.RP-1.5: The recovery plan includes recovery of resilience following a long term loss of capability (e.g., site or third-party) detailing when the plan should be activated and implementation steps. Statement Updated for Profile ver. 2.0 ID.IM-04.05 ID.IM-04.05: Recovery plans include restoration of resilience following a long term loss of capability (e.g., at an alternate site or a third-party), detailing when the plan should be activated and implementation steps.
RC.RP-1.6 RC.RP-1.6: The recovery plan includes plans to come back for both traditional and highly available (e.g., cloud) infrastructure. Statement Updated for Profile ver. 2.0 ID.IM-04.03 ID.IM-04.03: Recovery plans include service resumption steps for all operating environments, including traditional, alternate recovery, and highly available (e.g., cloud) infrastructures.
RC.IM-1.1 RC.IM-1.1: The organization refines its cyber resilience and incident response plans by actively identifying and incorporating crucial lessons learned from:
(1) cybersecurity incidents that have occurred within the organization;
(2) Cybersecurity assessments and testing performed internally; and
(3) Widely reported events, industry reports and cybersecurity incidents that have occurred outside the organization.
Statement Merged with Another Statement for ver. 2.0 ID.IM-04.08 ID.IM-04.08: The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on:
(1) Lessons learned from incidents that have occurred (both internal and external to the organization);
(2) Current cyber threat intelligence (both internal and external sources);
(3) Recent and wide-scale cyber attack scenarios;
(4) Operationally and technically plausible future cyber attacks;
(5) Organizational or technical environment changes; and,
(6) New technological developments.
RC.IM-2.1 RC.IM-2.1: The organization periodically reviews recovery strategy and exercises and updates them as necessary, based on:
(1) Lessons learned from cybersecurity incidents that have occurred (both within and outside the organization);
(2) Current cyber threat intelligence (both internal and external sources);
(3) Recent and wide-scale cyber attack scenarios;
(4) Operationally and technically plausible future cyber attacks; and
(5) New technological developments.
Statement Merged with Another Statement for ver. 2.0 ID.IM-04.08 ID.IM-04.08: The organization regularly reviews response strategy, incident management plans, recovery plans, and associated tests and exercises and updates them, as necessary, based on:
(1) Lessons learned from incidents that have occurred (both internal and external to the organization);
(2) Current cyber threat intelligence (both internal and external sources);
(3) Recent and wide-scale cyber attack scenarios;
(4) Operationally and technically plausible future cyber attacks;
(5) Organizational or technical environment changes; and,
(6) New technological developments.
RC.CO-1.1 RC.CO-1.1: The organization's governing body (e.g., the Board or one of its committees) ensures that a communication plan exists to notify internal and external stakeholders about an incident, as appropriate. Statement Merged with Another Statement for ver. 2.0 RC.CO-04.01 RC.CO-04.01: Pre-established communication plans and message templates, and authorized protocols, contacts, media, and communications, are used to notify and inform the public and key external stakeholders about an incident.
RC.CO-1.2 RC.CO-1.2: The organization promptly communicates the status of recovery activities to regulatory authorities and relevant external stakeholders, as appropriate. Statement Updated for Profile ver. 2.0 RC.CO-03.02 RC.CO-03.02: The organization promptly communicates the status of recovery activities to regulatory authorities and relevant external stakeholders, as required or appropriate.
RC.CO-2.1 RC.CO-2.1: Actionable and effective mitigation techniques are taken and communicated appropriately to restore and improve the organization's reputation after an incident. Statement Merged with Another Statement for ver. 2.0 RC.CO-04.01 RC.CO-04.01: Pre-established communication plans and message templates, and authorized protocols, contacts, media, and communications, are used to notify and inform the public and key external stakeholders about an incident.
RC.CO-3.1 RC.CO-3.1: The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the appropriate governing body (e.g., the Board or one of its committees), senior management and relevant internal stakeholders. Statement Updated for Profile ver. 2.0 RC.CO-03.01 RC.CO-03.01: The organization timely involves and communicates the recovery activities, procedures, cyber risk management issues to the governing body (e.g., the Board or one of its committees), senior management, incident management support teams, and relevant internal stakeholders.
DM.ID-1.1 DM.ID-1.1: The organization has integrated its internal dependency management strategy into the overall strategic risk management plan. Statement Merged with Another Statement for ver. 2.0 GV.OC-05.01 GV.OC-05.01: The organization identifies, assesses, and documents the key dependencies, interdependencies, and potential points of failure to support the delivery of critical services (e.g., systems, business processes, workforce, third parties, facilities, etc.) </td> </tr>
DM.ID-1.2 DM.ID-1.2: The organization monitors the effectiveness of its internal dependency management strategy. Statement Not Carried Over to Profile ver. 2.0 None None - Not Carried Over to Profile ver. 2.0
DM.ID-1.3 DM.ID-1.3: The organization ensures appropriate oversight of and compliance with the internal dependency management strategy implementation. Statement Not Carried Over to Profile ver. 2.0 None None - Not Carried Over to Profile ver. 2.0
DM.ID-1.4 DM.ID-1.4: The organization has established and applies appropriate controls to address the inherent risk of internal dependencies. Statement Merged with Another Statement for ver. 2.0 GV.OC-05.01 GV.OC-05.01: The organization identifies, assesses, and documents the key dependencies, interdependencies, and potential points of failure to support the delivery of critical services (e.g., systems, business processes, workforce, third parties, facilities, etc.) </td> </tr>
DM.ID-2.1 DM.ID-2.1: Roles and responsibilities for internal dependency management are defined and assigned. Statement Not Carried Over to Profile ver. 2.0 None None - Not Carried Over to Profile ver. 2.0
DM.ED-1.1 DM.ED-1.1: The organization has integrated its external dependency management strategy into the overall cyber risk management plan. Statement Updated for Profile ver. 2.0 GV.SC-03.01 GV.SC-03.01: The organization's third-party risk management strategy and program aligns with and supports its enterprise, technology, cybersecurity, and resilience risk management frameworks and programs.
DM.ED-1.2 DM.ED-1.2: The organization monitors the effectiveness of its external dependency management strategy to reduce cyber risks associated with external dependencies. Statement Updated for Profile ver. 2.0 ID.IM-01.05 ID.IM-01.05: The organization's third-party risk management program is regularly assessed, reported on, and improved.
DM.ED-1.3 DM.ED-1.3: The organization ensures appropriate oversight and compliance with the external dependency strategy implementation. Statement Updated for Profile ver. 2.0 GV.RR-01.02 GV.RR-01.02: The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization’s third-party risk management strategy and program and for managing the organization's ongoing risks associated with the aggregate and specific use of third parties.
DM.ED-2.1 DM.ED-2.1: The organization has established policies, plans, and procedures to identify and manage cyber risks associated with external dependencies throughout those dependencies' lifecycles in a timely manner, including sector-critical systems and operations. Statement Merged with Another Statement for ver. 2.0 GV.SC-01.01 GV.SC-01.01: The organization maintains a third-party risk management strategy and program to identify and manage the risks associated with third parties throughout their lifecycles in a timely manner, including in support of sector-critical systems and operations, to ensure alignment within risk appetite.
DM.ED-2.2 DM.ED-2.2: The organization's dependency management policies, plans, and procedures are regularly updated. Statement Merged with Another Statement for ver. 2.0 GV.PO-01.08 GV.PO-01.08: The organization maintains documented third-party risk management program policies and procedures approved by the governing authority (e.g., the Board or one of its committees).
DM.ED-2.3 DM.ED-2.3: The organization's dependency management policies, plans, and procedures have been reviewed and approved by appropriate organizational stakeholders. Statement Merged with Another Statement for ver. 2.0 GV.PO-01.08 GV.PO-01.08: The organization maintains documented third-party risk management program policies and procedures approved by the governing authority (e.g., the Board or one of its committees).
DM.ED-2.4 DM.ED-2.4: Dependency management processes may allow the organization to the adopt  security program(s) of its "affiliate(s)" as long as such program provides an appropriate level of control and assurance. Statement Updated for Profile ver. 2.0 GV.PO-01.02 GV.PO-01.02: The accountable governing body, and applicable cybersecurity program and policies, for any given organizational unit, affiliate, or merged entity are clearly established, applied, and communicated.
DM.ED-2.5 DM.ED-2.5: The organization's dependency management process identifies third-party relationships that are in place, including those relationships that were established without formal approval. Statement Updated for Profile ver. 2.0 GV.SC-04.01 GV.SC-04.01: The organization regularly identifies, inventories, and risk-ranks third-party relationships that are in place, and addresses any identified relationships that were established without formal approval.
DM.ED-3.1 DM.ED-3.1: Roles and responsibilities for external dependency management are defined and assigned. Statement Updated for Profile ver. 2.0 GV.RR-02.04 GV.RR-02.04: Roles and responsibilities for the Third-Party Risk Management Program and for each third-party engagement are defined and assigned.
DM.ED-3.2 DM.ED-3.2: Responsibilities for ongoing independent oversight (external) of third-party access are defined and assigned. Statement Updated for Profile ver. 2.0 PR.AA-05.04 PR.AA-05.04: Specific roles, responsibilities, and procedures to manage the risk of third-party access to organizational systems and facilities are defined and implemented.
DM.ED-4.1 DM.ED-4.1: The organization ensures that cyber risks associated with external dependencies are consistent with cyber risk appetite approved by an appropriate governing body (e.g., the Board or one of its committees). Statement Merged with Another Statement for ver. 2.0 GV.SC-01.01 GV.SC-01.01: The organization maintains a third-party risk management strategy and program to identify and manage the risks associated with third parties throughout their lifecycles in a timely manner, including in support of sector-critical systems and operations, to ensure alignment within risk appetite.
DM.ED-4.2 DM.ED-4.2: The organization has established and applies appropriate policies and controls to address the inherent risk of external dependencies to the enterprise and the sector, if appropriate. Statement Merged with Another Statement for ver. 2.0 GV.PO-01.08 GV.PO-01.08: The organization maintains documented third-party risk management program policies and procedures approved by the governing authority (e.g., the Board or one of its committees).
DM.ED-4.3 DM.ED-4.3: The organization conducts a risk assessment to define appropriate controls to address the cyber risk presented by each external partner, implements these controls, and monitors their status throughout the lifecycle of partner relationships. Statement Merged with Another Statement for ver. 2.0 EX.MM-01.01 EX.MM-01.01: The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to manage and monitor its third-party relationships to a degree and extent commensurate with the risk each third party poses to the organization and the criticality of the third party's products, services, and/or relationship to the organization.
DM.ED-4.4 DM.ED-4.4: The organization has a documented third-party termination/exit strategy to include procedures for timely removal of the third-party access when no longer required. Statement Updated for Profile ver. 2.0 EX.TR-01.03 EX.TR-01.03: The organization has a documented third-party termination/exit plan, to include procedures for timely removal of the third-party access, return of data and property, personnel disposition, and transition of services and support.
DM.ED-4.5 DM.ED-4.5: The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole. Statement Unchanged in Profile ver. 2.0 EX.TR-01.01 EX.TR-01.01: The organization establishes contingencies to address circumstances that might put a vendor out of business or severely impact delivery of services to the organization, sector-critical systems, or the financial sector as a whole.
DM.ED-5.1 DM.ED-5.1: The organization has identified and monitors the organizational ecosystem of external dependencies for assets/systems that are critical to the enterprise and the financial services sector. Statement Updated for Profile ver. 2.0 GV.SC-01.02 GV.SC-01.02: The organization regularly assesses the risk of its ongoing use of third parties in aggregate, considering factors such as critical service dependencies, vendor concentration, geographical/geopolitical exposure, fourth-party impacts, and financial sector co-dependencies.
DM.ED-5.2 DM.ED-5.2: The organization maintains a current, accurate, and complete listing of all external dependencies and business functions, including mappings to supported assets and business functions. Statement Merged with Another Statement for ver. 2.0 GV.OC-04.01 GV.OC-04.01: The organization maintains an inventory of key internal assets, business functions, and external dependencies that includes mappings to other assets, business functions, and information flows.
DM.ED-5.3 DM.ED-5.3: The organization has prioritized functions, activities, products, and services provided by external dependencies based on criticality. Statement Merged with Another Statement for ver. 2.0 GV.OC-05.02 GV.OC-05.02: The organization has prioritized its external dependencies according to their criticality to the supported enterprise mission, business functions, and to the financial services sector.
DM.ED-5.4 DM.ED-5.4: The organization has prioritized external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector. Statement Merged with Another Statement for ver. 2.0 GV.OC-05.02 GV.OC-05.02: The organization has prioritized its external dependencies according to their criticality to the supported enterprise mission, business functions, and to the financial services sector.
DM.ED-6.1 DM.ED-6.1: The organization has documented minimum cybersecurity requirements for critical third-parties that, at a minimum, meet cybersecurity practices of the organization. Statement Merged with Another Statement for ver. 2.0 EX.CN-02.01 EX.CN-02.01: The organization's contracts require third-parties to implement minimum technology and cybersecurity management requirements, to maintain those practices for the life of the relationship, and to provide evidence of compliance on an ongoing basis.
DM.ED-6.2 DM.ED-6.2: The organization's contracts require third-parties to implement minimum cybersecurity requirements and to maintain those practices for the life of the relationship. Statement Merged with Another Statement for ver. 2.0 EX.CN-02.01 EX.CN-02.01: The organization's contracts require third-parties to implement minimum technology and cybersecurity management requirements, to maintain those practices for the life of the relationship, and to provide evidence of compliance on an ongoing basis.
DM.ED-6.3 DM.ED-6.3: Minimum cybersecurity requirements for third-parties include how the organization will monitor security of its external dependencies to ensure that requirements are continually satisfied. Statement Updated for Profile ver. 2.0 EX.MM-01.05 EX.MM-01.05: The organization regularly assesses a critical third party's program and ability to manage its own suppliers and partners (fourth and nth parties) and the risks those fourth and nth parties may pose to the third party and to the organization (e.g., cybersecurity supply chain risk, concentration risk, reputation risk, foreign-party risk, etc.)
DM.ED-6.4 DM.ED-6.4: Minimum cybersecurity requirements for third-parties include consideration of whether the third-party is responsible for the security of the organization's confidential data and of geographic limits on where data can be stored and transmitted. Statement Merged with Another Statement for ver. 2.0 ID.AM-08.06 ID.AM-08.06: Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, from the acquisition of data through the return or destruction of data, to include limitations on data use, access, storage, and geographic location.
DM.ED-6.5 DM.ED-6.5: Minimum cybersecurity requirements for third-parties include how the organization and its suppliers and partners will communicate and coordinate in times of emergency, including:
1) Joint maintenance of contingency plans;
2) Responsibilities for responding to cybersecurity incident;
3) Planning and testing strategies that address severe events in order to identify single points of failure that would cause wide-scale disruption; and
4) Incorporating potential impact of a cyber event into their BCP process and ensure appropriate resilience capabilities are in place.
Statement Updated for Profile ver. 2.0 GV.RM-05.02 GV.RM-05.02: The organization establishes minimum requirements for its third-parties that include how the organizations will communicate and coordinate in times of emergency, including:
1) Joint maintenance of contingency plans;
2) Responsibilities for responding to incidents, including forensic investigations;
3) Planning and testing strategies that address severe events in order to identify single points of failure that would cause wide-scale disruption; and
4) Incorporating the potential impact of an incident into their BCM process and ensure resilience capabilities are in place.
DM.ED-6.6 DM.ED-6.6: Minimum cybersecurity requirements for third-parties identify conditions of and the recourse available to the organization should the third-party fail to meet their cybersecurity requirements. Statement Updated for Profile ver. 2.0 EX.CN-01.01 EX.CN-01.01: Contracts with suppliers clearly detail the general terms, nature, and scope of the arrangement, to include the distribution of responsibilities between the parties; costs, compensation, reimbursements, incentives, and penalties; service level agreements, performance measures, and benchmarks; responsibilities for providing, receiving, and retaining information; recourse provisions; and the organization's rights to review, monitor, and audit the supplier's activities.
DM.ED-6.7 DM.ED-6.7: Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, including return or destruction of data during cloud or virtualization use and upon relationship termination. Statement Merged with Another Statement for ver. 2.0 ID.AM-08.06 ID.AM-08.06: Minimum cybersecurity requirements for third-parties cover the entire relationship lifecycle, from the acquisition of data through the return or destruction of data, to include limitations on data use, access, storage, and geographic location.
DM.ED-7.1 DM.ED-7.1: The organization has a formal program for third-party due diligence and monitoring. Statement Merged with Another Statement for ver. 2.0 EX.MM-01.01 EX.MM-01.01: The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to manage and monitor its third-party relationships to a degree and extent commensurate with the risk each third party poses to the organization and the criticality of the third party's products, services, and/or relationship to the organization.
DM.ED-7.2 DM.ED-7.2: The organization conducts regular third-party reviews for critical vendors to validate that appropriate security controls have been implemented. Statement Updated for Profile ver. 2.0 EX.MM-02.01 EX.MM-02.01: The organization conducts regular third-party reviews for critical vendors to validate that requisite security and contractual controls are in place and continue to be operating as expected.
DM.ED-7.3 DM.ED-7.3: A process is in place to confirm that the organization's third-party service providers conduct due diligence of their own third-parties (e.g., subcontractors). Statement Updated for Profile ver. 2.0 EX.DD-02.04 EX.DD-02.04: The organization reviews and assesses the prospective third party's controls for managing its suppliers and subcontractors (fourth and nth parties), any proposed role fourth and nth parties will play in delivering the products or services, and any specific fourth- and nth-party controls or alternative arrangements the organization may require to protect its interests.
DM.ED-7.4 DM.ED-7.4: A process is in place to confirm that the organization's third-party service providers conduct periodic resiliency testing or justify why it is not needed. Statement Updated for Profile ver. 2.0 EX.MM-02.02 EX.MM-02.02: A process is in place to confirm that the organization's critical third-party service providers maintain their business continuity programs, conduct regular resiliency testing, and participate in joint and/or bilateral recovery exercises and tests.
DM.RS-1.1 DM.RS-1.1: The organization has an enterprise-wide cyber resilience (including business continuity, and incident response) strategy and program. Statement Updated for Profile ver. 2.0 GV.RM-09.01 GV.RM-09.01: The organization has an enterprise-wide resilience strategy and program, including architecture, cyber resilience, business continuity, disaster recovery, and incident response, which support its mission, stakeholder obligations, critical infrastructure role, and risk appetite.
DM.RS-1.2 DM.RS-1.2: The cyber resilience strategy and program are based on the organization's enterprise-wide cyber risk management strategy that addresses the risks that the organization may present to other critical infrastructure sectors and the risk that the organization may present to other firms in the financial sector. Statement Merged with Another Statement for ver. 2.0 GV.RM-09.02 GV.RM-09.02: The resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders, to include critical infrastructure partners, during adverse incidents and cyber attacks (e.g., propagation of malware or extended system outages).
DM.RS-1.3 DM.RS-1.3: The cyber resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders during cybersecurity incidents and cyber attacks (e.g., propagation of malware or corrupted data). Statement Merged with Another Statement for ver. 2.0 GV.RM-09.02 GV.RM-09.02: The resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders, to include critical infrastructure partners, during adverse incidents and cyber attacks (e.g., propagation of malware or extended system outages).
DM.RS-2.1 DM.RS-2.1: The organization has incorporated its external dependencies and critical business partners into its cyber resilience (e.g., incident response, business continuity, and disaster recovery) strategy, plans, and exercises. Statement Updated for Profile ver. 2.0 GV.SC-08.01 GV.SC-08.01: The organization's resilience strategy, plans, tests, and exercises incorporate its external dependencies and critical business partners.
DM.RS-2.2 DM.RS-2.2: The organization's cyber resilience strategy addresses the organization's obligations for performing core business functions including those performed for the financial sector as a whole, in the event of a disruption, including the potential for multiple concurrent or widespread interruptions and cyber attacks on multiple elements of interconnected critical infrastructure, such as energy and telecommunications. Statement Merged with Another Statement for ver. 2.0 GV.RM-09.02 GV.RM-09.02: The resilience program ensures that the organization can continue operating critical business functions and deliver services to stakeholders, to include critical infrastructure partners, during adverse incidents and cyber attacks (e.g., propagation of malware or extended system outages).
DM.RS-2.3 DM.RS-2.3: The organization designs and tests its cyber resilience plans, and exercises to support financial sector's sector-wide resilience and address external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc. Statement Updated for Profile ver. 2.0 ID.IM-02.08 ID.IM-02.08: The organization tests and exercises, independently and in coordination with other critical sector partners, its ability to support sector-wide resilience in the event of extreme financial stress or the instability of external dependencies, such as connectivity to markets, payment systems, clearing entities, messaging services, etc.
DM.RS-2.4 DM.RS-2.4: The organization periodically identifies and tests alternative solutions in case an external partner fails to perform as expected. Statement Updated for Profile ver. 2.0 EX.TR-01.02 EX.TR-01.02: The organization periodically identifies and tests alternative solutions in case a critical external partner fails to perform as expected.
DM.RS-2.5 DM.RS-2.5: When planning and executing incident response and recovery activities, the organization takes into consideration sector-wide impact of its systems and puts a priority on response and recovery activities for those systems ahead of the other systems. Statement Merged with Another Statement for ver. 2.0 RC.RP-02.02 RC.RP-02.02: Recovery plans are executed by first resuming critical services and core business functions, while minimizing any potential concurrent and widespread interruptions to interconnected entities and critical infrastructure, such as energy and telecommunications.
DM.BE-1.1 DM.BE-1.1: The cyber risk strategy identifies and communicates the organization's role as it relates to other critical infrastructures and as a component of the financial services sector. Statement Merged with Another Statement for ver. 2.0 GV.OC-02.03 GV.OC-02.03: Technology and cybersecurity risk management strategies identify and communicate the organization's role as it relates to other critical infrastructure sectors outside of the financial services sector and the interdependency risks.
DM.BE-1.2 DM.BE-1.2: A formal process is in place for the independent audit function to update its procedures based on changes to the evolving threat landscape across other sectors the institution depends upon. Statement Merged with Another Statement for ver. 2.0 GV.AU-02.02 GV.AU-02.02: A formal process is in place for the independent audit function to update its procedures and audit plans based on changes to the organization's risk appetite, risk tolerance, threat environment, and evolving risk profile. </td> </tr>
DM.BE-2.1 DM.BE-2.1: The organization has established and implemented plans to identify and mitigate the cyber risks it poses through interconnectedness to sector partners and external stakeholders. Statement Unchanged in Profile ver. 2.0 ID.IM-04.06 ID.IM-04.06: The organization has established and implemented plans to identify and mitigate the cyber risks it poses through interconnectedness to sector partners and external stakeholders.
DM.BE-2.2 DM.BE-2.2: The organization has prioritized monitoring of systems according to their criticality to the supported business functions, enterprise mission, and to the financial services sector. Statement Updated for Profile ver. 2.0 GV.OC-04.04 GV.OC-04.04: The organization prioritizes the resilience design, planning, testing, and monitoring of systems and other key internal and external dependencies according to their criticality to the supported business functions, enterprise mission, and to the financial services sector.
DM.BE-3.1 DM.BE-3.1: Cyber resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations). Statement Updated for Profile ver. 2.0 GV.OC-04.03 GV.OC-04.03: Resilience requirements to support the delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, and normal operations).
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.OC-02.01 GV.OC-02.01: The organization's obligation to its customers, employees, and stakeholders to maintain safety and soundness, while balancing size and complexity, is reflected in the organization's risk management strategy and framework, its risk appetite and risk tolerance statements, and in a risk-aware culture.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.OC-04.02 GV.OC-04.02: The organization documents the business processes that are critical for the delivery of services and the functioning of the organization, and the impacts to the business if those processes are degraded or not functioning.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RM-01.05 GV.RM-01.05: The organization's technology, cybersecurity, resilience, and third-party risk management programs, policies, resources, and priorities are aligned and mutually supporting.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RM-03.02 GV.RM-03.02: The organization's business continuity and resilience strategy and program align with and support the overall enterprise risk management framework.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RM-04.01 GV.RM-04.01: The governing authority (e.g., the Board or one of its committees) and senior management provide guidance, direction, and credible challenge in the design and implementation of risk management strategies, assessment of identified risks against risk appetite and risk tolerance, and in the selection of risk treatment approaches.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RM-07.01 GV.RM-07.01: The organization has mechanisms in place to ensure that strategies, initiatives, opportunities, and emerging technologies (e.g., artificial intelligence, quantum computing, etc.) are evaluated both in terms of risks and uncertainties that are potentially detrimental to the organization, as well as potentially advantageous to the organization (i.e., positive risks).
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RM-08.04 GV.RM-08.04: The organization integrates the use of technology architecture in its governance processes to support consistent approaches to security and technology design, integration of third party services, consideration and adoption of new technologies, and investment and procurement decisioning.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RM-08.05 GV.RM-08.05: The technology architecture and associated management processes should be comprehensive (e.g., consider the full life cycle of infrastructure, applications, emerging technologies, and relevant data) and designed to achieve security and resilience commensurate with business needs.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RM-08.06 GV.RM-08.06: Technology programs and projects are formally governed and stakeholder engagement is managed to facilitate effective communication, awareness, credible challenge, and decision-making.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RM-08.07 GV.RM-08.07: Technology projects follow an established project management methodology to manage delivery and delivery risks, produce consistent quality, and achieve business objectives and value.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.SC-02.01 GV.SC-02.01: The organization clearly defines, and includes in contractual agreements, the division of cybersecurity and technology risk management responsibilities between the organization and its third parties (e.g., a Shared Responsibilities Model).
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.SC-09.01 GV.SC-09.01: Consideration is specifically given to the implications of organizational third-party dependence, requirements, contracts, and interactions in the design, operation, monitoring, and improvement of policies, procedures, and controls to ensure the fulfillment of business requirements within risk appetite.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RR-01.03 GV.RR-01.03: The governing authority (e.g., the Board or one of its committees) regularly reviews, oversees, and holds senior management accountable for implementing the organization’s resilience strategy and program and for managing the organization's ongoing resilience risks.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RR-01.05 GV.RR-01.05: The organization designates a qualified Technology Officer (e.g., CIO or CTO) who is responsible and accountable for developing technology strategy, overseeing and implementing its technology program, and enforcing its technology policy.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RR-02.03 GV.RR-02.03: Resilience program roles and responsibilities are assigned to management across the organization to ensure risk assessment, planning, testing, and execution coverage for all critical business functions.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RR-02.06 GV.RR-02.06: Roles and responsibilities for the inventory, ownership, and custodianship of applications, data and other technology assets are established and maintained.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RR-03.02 GV.RR-03.02: The organization regularly assesses its skill and resource level requirements against its current personnel complement to determine gaps in resource need.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.RR-04.03 GV.RR-04.03: The organization integrates insider threat considerations into its human resource, risk management, and control programs to address the potential for malicious or unintentional harm by trusted employees or third parties.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.PO-01.04 GV.PO-01.04: All personnel (employees and third party) consent to policies addressing acceptable technology use, social media use, personal device use (e.g., BYOD), confidentiality, and/or other security-related policies and agreements as warranted by their position.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.PO-01.07 GV.PO-01.07: The organization maintains documented business continuity and resilience program policies and procedures approved by the governing authority (e.g., the Board or one of its committees).
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.OV-01.03 GV.OV-01.03: The designated Technology Officer (e.g., CIO or CTO) regularly reports to the governing authority (e.g., the Board or one of its committees) on the status of technology use and risks within the organization.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.OV-03.02 GV.OV-03.02: Resilience program performance is measured and regularly reported to senior executives and the governing authority (e.g., the Board or one of its committees).
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 GV.AU-01.04 GV.AU-01.04: The independent audit function evaluates and tests third-party risk management policies and controls, identifies weaknesses and gaps, and recommends improvements to senior management and the governing authority (e.g., the Board or one of its committees).
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.AM-05.01 ID.AM-05.01: The organization establishes and maintains risk-based policies and procedures for the classification of hardware, software, and data assets based on sensitivity and criticality.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.AM-08.01 ID.AM-08.01: The organization establishes and maintains asset lifecycle management policies and procedures to ensure that assets are acquired, tracked, implemented, used, decommissioned, and protected commensurate with their sensitivity, criticality, and business value.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.AM-08.02 ID.AM-08.02: The organization establishes policies, and employs methods to identify, assess, and manage technology solutions that are acquired, managed, or used outside of established, governed technology and cybersecurity processes (i.e., "Shadow IT").
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.RA-06.04 ID.RA-06.04: The organization assesses the threats, impacts, and risks that could adversely affect the organization's ability to provide services on an ongoing basis, and develops its resilience requirements and plans to address those risks.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.RA-07.02 ID.RA-07.02: Risk-based criteria are used to categorize each system change, to include emergency changes, to determine the necessary change process standards to apply for change planning, rollback planning, pre-change testing, change access control, post-change verification, and change review and approval.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.RA-07.03 ID.RA-07.03: Technology projects and system change processes ensure that requisite changes in security posture, data classification and flows, architecture, support documentation, business processes, and business resilience plans are addressed.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.RA-07.04 ID.RA-07.04: Policy exceptions, risk mitigation plans, and risk acceptances resulting from assessments and evaluations, such as testing, exercises, audits, etc., are formally managed, approved, escalated to defined levels of management, and tracked to closure.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.IM-01.01 ID.IM-01.01: Technology, cybersecurity, and resilience controls are regularly assessed and/or tested for design and operating effectiveness.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.IM-01.04 ID.IM-01.04: Technology and cybersecurity programs include elements designed to assess, manage, and continually improve the quality of program delivery in addressing stakeholder requirements and risk reduction.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.IM-02.02 ID.IM-02.02: The thoroughness and results of independent penetration testing are regularly reviewed to help determine the need to rotate testing vendors to obtain fresh independent perspectives.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.IM-02.09 ID.IM-02.09: Corrective actions for gaps identified during security-related, incident management, response plan, and disaster recovery testing are retested and validated, or have a formal risk acceptance or risk exception.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 ID.IM-04.07 ID.IM-04.07: The organization pre-identifies, pre-qualifies, and retains third party incident management support and forensic service firms, as required, that can be called upon to quickly assist with incident response, investigation, and recovery.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.AA-03.03 PR.AA-03.03: The organization reduces fraudulent activity and protects reputational integrity through email verification mechanisms (e.g., DMARC, DKIM), call-back verification, secure file exchange facilities, out-of-band communications, customer outreach and education, and other tactics designed to thwart imposters and fraudsters.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.AA-04.01 PR.AA-04.01: Access credential and authorization mechanisms for internal systems and across security perimeters (e.g., leveraging directory services, directory synchronization, single sign-on, federated access, credential mapping, etc.) are designed to maintain security, integrity, and authenticity.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.AA-06.02 PR.AA-06.02: The organization manages and protects physical and visual access to sensitive information assets and physical records (e.g., session lockout, clean desk policies, printer/facsimile output trays, file cabinet/room security, document labelling, etc.)
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.AT-01.04 PR.AT-01.04: As new technology is deployed or undergoes change that also requires changes in practices, all impacted personnel (e.g., end-users, developers, operators, etc.) are trained on the new system and any accompanying technology and cybersecurity risks.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.AT-02.04 PR.AT-02.04: The organization maintains and enhances the skills and knowledge of the in-house staff performing incident management and forensic investigation activities.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.AT-02.05 PR.AT-02.05: All third party staff receive cybersecurity awareness and job training sufficient for them to perform their duties and maintain organizational security.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.DS-10.01 PR.DS-10.01: Data-in-use is protected commensurate with the criticality and sensitivity of the information and in alignment with the data classification and protection policy (e.g., through the use of encryption, authentication, access control, masking, tokenization, visual shielding, memory integrity monitoring, etc.)
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-01.05 PR.PS-01.05: Acceptable encryption standards, methods, and management practices are established in accordance with defined industry standards.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-01.06 PR.PS-01.06: The organization employs defined encryption methods and management practices commensurate with the criticality of the information being protected and the inherent risk of the technical environment where used.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-01.07 PR.PS-01.07: Cryptographic keys and certificates are tracked, managed, and protected throughout their lifecycles, to include for compromise and revocation.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-01.08 PR.PS-01.08: End-user mobile or personal computing devices accessing the organization's network employ mechanisms to protect network, application, and data integrity, such as "Mobile Device Management (MDM)" and "Mobile Application Management (MAM)" technologies, device fingerprinting, storage containerization and encryption, integrity scanning, automated patch application, remote wipe, and data leakage protections.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-01.09 PR.PS-01.09: Endpoint systems implemented using virtualization technologies employ mechanisms to protect network, application, and data integrity, such as restricting access to local network and peripheral devices, multi-factor authentication, locking-down device source network locations, and data leakage protections.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-02.02 PR.PS-02.02: The organization establishes standards and practices for ongoing application management to ensure that applications remain secure and continue to meet organizational needs.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-02.03 PR.PS-02.03: Technology obsolescence, unsupported systems, and end-of-life decommissioning/replacements are addressed in a risk-based manner and actively planned for, funded, managed, and securely executed.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-04.02 PR.PS-04.02: The organization defines the scope and coverage of audit/log records to be created and monitored (i.e., internal and external environments, devices, and applications/services/software to be monitored) and has controls in place to ensure that the intended scope is fully covered and that no logging failures are inhibiting the collection of required logs.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-06.02 PR.PS-06.02: The architecture, design, coding, testing, and operationalization of system solutions address the unique security, resilience, technical, and operational characteristics of the target platform environment(s) (e.g., distributed system, mainframe, cloud, API, mobile, database, etc.)
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-06.03 PR.PS-06.03: Functional, operational, resilience, and security requirements for system development and implementation projects are documented, agreed to by relevant stakeholders, and tracked and managed through development, testing, assurance, acceptance, and delivery.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-06.04 PR.PS-06.04: Systems development and testing tools, processes, and environments employ security mechanisms to protect and improve the integrity and confidentiality of both the SDLC process and the resulting product (e.g., secured code repositories, segmented environments, automated builds, etc.)
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-06.06 PR.PS-06.06: The system development lifecycle remediates known critical vulnerabilities, and critical vulnerabilities discovered during testing, prior to production deployment.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-06.07 PR.PS-06.07: DevOps/DevSecOps practices and procedures are aligned with Systems Development Lifecycle, security operations, and technology service management processes.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-06.08 PR.PS-06.08: The design, configuration, security control, and operation of key applications and system services are documented sufficiently to support ongoing management, operation, change, and assessment.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-06.09 PR.PS-06.09: End-user developed solutions, to include models used to support critical business processes and decisions, are formally identified and managed in alignment with their criticality and risk.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-06.10 PR.PS-06.10: The organization establishes policies and procedures for the secure design, configuration, modification, and operation of databases, data stores, and data analytics platforms consistent with the criticality of the data being managed.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-07.01 PR.PS-07.01: The organization's technology operations, process verification, error detection, issue management, root cause analysis, and problem management functions are formally documented, monitored, and KPIs are regularly reported to stakeholders.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.PS-07.02 PR.PS-07.02: Technology service and support functions address stakeholder expectations (e.g., through stated requirements, SLAs, or OLAs) and performance is monitored and regularly reported to stakeholders.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.IR-01.02 PR.IR-01.02: Network device configurations (e.g., firewall rules, ports, and protocols) are documented, reviewed and updated regularly and upon change to ensure alignment with network access, segmentation, traversal, and deny-all default requirements.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.IR-01.03 PR.IR-01.03: The integrity and resilience of the organization's communications and control network services are enhanced through controls such as denial of service protections, secure name/address resolution, and/or alternate communications paths.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.IR-01.07 PR.IR-01.07: The organization defines and implements controls for securely configuring and operating Operational Technologies, Industrial Control Systems, and Internet-of-Things (IoT) devices (e.g., segregated printer networks, resetting of default passwords, etc.)
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.IR-01.08 PR.IR-01.08: The organization implements policies, procedures, end-user agreements, and technical controls to address the risks of end-user mobile or personal computing devices accessing the organization's network and resources.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 PR.IR-02.01 PR.IR-02.01: The organization designs, documents, implements, tests, and maintains environmental and physical controls to meet defined business resilience requirements (e.g., environmental monitoring, dual power and communication sources, regionally separated backup processing facilities, etc.)
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 DE.CM-01.06 DE.CM-01.06: The organization employs deception techniques and technologies (e.g., honeypots) to detect and prevent a potential intrusion in its early stages to support timely containment and recovery.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 DE.CM-03.01 DE.CM-03.01: Account access, authentication, and authorization activities are logged and monitored, for both users and devices, to enforce authorized access.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 DE.AE-07.01 DE.AE-07.01: The organization implements measures for monitoring external sources (e.g., social media, the dark web, etc.) to integrate with other intelligence information to better detect and evaluate potential threats and compromises.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 DE.AE-07.02 DE.AE-07.02: Relevant event data is packaged for subsequent review and triage and events are categorized for efficient handling, assignment, and escalation.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 DE.AE-08.01 DE.AE-08.01: Defined criteria and severity levels are in place to facilitate the declaration, escalation, organization, and alignment of response activities to response plans within the organization and across relevant third parties.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 RS.MA-04.01 RS.MA-04.01: Response activities are centrally coordinated, response progress and milestones are tracked and documented, and new incident information is assimilated into ongoing tasks, assignments, and escalations.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 RS.AN-07.01 RS.AN-07.01: Incident-related forensic data is captured, secured, and preserved in a manner supporting integrity, provenance, and evidentiary value.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 RS.AN-08.01 RS.AN-08.01: Available incident information is assessed to determine the extent of impact to the organization and its stakeholders, the potential near- and long-term financial implications, and whether or not the incident constitutes a material event.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 RS.MI-02.01 RS.MI-02.01: Targeted investigations and actions are taken to ensure that all vulnerabilities, system components, devices, or remnants used or leveraged in an attack (e.g., malware, compromised accounts, open ports, etc.) are removed or otherwise returned to a secure and reliable state, or that plans to address the vulnerabilities are documented.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 RC.RP-02.01 RC.RP-02.01: The organization's response plans are used as informed guidance to develop and manage task plans, response actions, priorities, and assignments for responding to incidents, but are adapted as necessary to address incident-specific characteristics.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 RC.RP-03.01 RC.RP-03.01: Restoration steps include the verification of backups, data replications, system images, and other restoration assets prior to continued use.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 RC.RP-04.01 RC.RP-04.01: Restoration steps include the verification of data integrity, transaction positions, system functionality, and the operation of security controls by appropriate organizational stakeholders and system owners.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 RC.RP-05.01 RC.RP-05.01: The organization maintains documented procedures for sanitizing, testing, authorizing, and returning systems to service following an incident or investigation.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 RC.RP-05.02 RC.RP-05.02: Business, technology, cybersecurity, and relevant third-party stakeholders confirm that systems, data, and services have been returned to functional and secure states and that a stable operational status has been achieved.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 RC.RP-06.01 RC.RP-06.01: Incident management activities are closed under defined conditions and documentation to support subsequent post-mortem review, process improvement, and any follow-on activities is collected and verified.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.DD-01.01 EX.DD-01.01: Documented procurement plans are developed for initiatives involving elevated business, technical, or cybersecurity risk in order to establish criteria for the evaluation and selection of a supplier, and any special requirements for organizational preparation, supplier due diligence, and contract terms.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.DD-01.02 EX.DD-01.02: Procurement plans address the inherent risks of the planned activity, to include the complexity of the endeavor in terms of technology, scope, and novelty, and demonstrate that the potential business and financial benefits outweigh the costs to control the anticipated risks.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.DD-01.03 EX.DD-01.03: Procurement plans address expected resource requirements and procedures for ongoing management and monitoring of the selected supplier, contingency plans for supplier non-performance, and specific considerations related to contract termination (e.g., return of data).
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.DD-02.01 EX.DD-02.01: The organization implements procedures, and allocates sufficient resources with the requisite knowledge and experience, to conduct third party due diligence and risk assessment consistent with the procurement plan and commensurate with level of risk, criticality, and complexity of each third-party relationship.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.DD-02.02 EX.DD-02.02: The organization reviews and evaluates the proposed business arrangement, to include the proposed fee structures, incentives, and penalties, proposed staff resources, viability of proposed approaches, and business terms, to ensure that products or services are being obtained at competitive and reasonable costs and terms.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.DD-02.03 EX.DD-02.03: The organization reviews and evaluates documentation, such as financial statements, independent audit reports, pooled/shared assessments, control test reports, SEC filings, and past and pending litigation, to the extent required to determine a prospective critical third party's soundness as a business and the quality and sustainability of its internal controls.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.DD-03.01 EX.DD-03.01: The organization reviews, evaluates, and risk assesses a prospective critical third party's cybersecurity program, including its ability to identify, assess, monitor, and mitigate its cyber risks; the completeness of its policies and procedures; the strength of its technical and administrative controls; and the coverage of its internal and independent control testing programs.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.DD-03.02 EX.DD-03.02: The organization reviews, evaluates, and risk assesses a prospective critical third party's business continuity program, to include business impact analyses, risk assessments, continuity plans, disaster recovery plans, technology resilience architecture, and response and recovery plans, test plans, and test results.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.DD-03.03 EX.DD-03.03: The organization reviews, evaluates, and risk assesses a prospective critical third party's incident response program, to include monitoring and alerting capabilities, incident reporting procedures and protocols, and capabilities for event analysis, problem resolution, and forensic investigation.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.DD-04.02 EX.DD-04.02: The organization reviews and evaluates any technologies or information systems proposed to support a third party's services or activities, to include compatibility with the organization's technology and cybersecurity architectures, interactions and interfaces with existing systems, security controls, operational management and support requirements, and suitability to the task.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.CN-01.02 EX.CN-01.02: Contracts with suppliers address, as relevant to the product or service, the supplier's requirements for managing its own suppliers and partners (fourth parties) and the risks those fourth parties may pose to the third party and to the organization, to include fourth party due diligence, limitations on activities or geography, monitoring, notifications, liability and indemnifications, etc.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.CN-01.03 EX.CN-01.03: Contracts with suppliers address, as relevant to the product or service, the implications of foreign-based third or fourth parties, to include the relevance of local laws and regulations, access to facilities and data, limitations on cross-border data transfer, and language and time zone management.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.CN-02.02 EX.CN-02.02: Minimum cybersecurity requirements for third-parties include requirements for incident and vulnerability notification, to include the types of events requiring notification, notification timeframes, and escalation protocols.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.CN-02.03 EX.CN-02.03: Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to maintain and regularly test a business continuity program and disaster recovery capability the meets the defined resilience requirements of the organization.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.CN-02.04 EX.CN-02.04: Contracts with suppliers address, as relevant to the product or service, the supplier's obligation to regularly participate in joint and/or bilateral recovery exercises and tests, and to address significant issues identified through recovery testing.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.MM-01.02 EX.MM-01.02: The organization regularly evaluates its third party relationships to determine if changes in the organization's circumstances, objectives, or third party use warrant a change in a third party's risk rating (e.g., a less critical third-party relationship evolves into being a critical relationship).
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.MM-01.03 EX.MM-01.03: The organization monitors for and regularly evaluates changes in a critical third party's business posture that could pose adverse risk to the organization (e.g., financial condition, reputation, adverse news, compliance/regulatory issues, key personnel, business relationships, consumer complaints, etc.)
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.MM-01.04 EX.MM-01.04: The organization regularly assesses critical third party adherence to service level agreements, product specifications, performance metrics, resource level/skill commitments, and quality expectations; addresses performance issues; and exercises contract penalties or credits as warranted.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.MM-01.06 EX.MM-01.06: The organization regularly reviews the foreign-based operations and activities of a critical third party, or its critical fourth parties, to confirm contract controls are maintained and compliance requirements are managed.
None None - Statement Added for Profile ver. 2.0 Statement Added for Profile ver. 2.0 EX.TR-02.01 EX.TR-02.01: Upon termination of a third-party agreement, the organization ensures that all technical and security matters (access, connections, etc.), business matters (service, support, and ongoing relationship), property matters (data, physical, and intellectual), and legal matters are addressed in a timely manner.