See Cynet’s Autonomous
Breach Protection in Action

Prefer a one-on-one demo? Click here

By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners

#CISOlife

A series of educational videos and interviews with CISOs about the challenges and solutions they face and how to overcome them

What is #CISOlife?

#CISOlife is a video series that aims to help CISOs with small security teams to get relevant information about their challenges and possible solutions, and to hear how other CISOs have coped with the same challenges.

Hosted by vCISO Brian Haugli, #CISOlife includes 13 videos that will educate you with real life examples and challenges and will offer a way you can approach solving them.

Brian Haugli, vCISO

#CISOlife - NIST CSF - Identify - Asset Management 1 (ID.AM-1)

Physical devices and systems within the organization are inventoried Has an inventory list of the components of the system been developed, documented, and maintained that is consistent with the system boundary? Has an inventory list of the components of the system been developed, documented, and maintained that is at the level of granularity deemed necessary for tracking and reporting?

#CISOlife - NIST CSF - Identify - Asset Management 1 (ID.AM-1)

Watch next:

#CISOlife - NIST CSF - Identify - Asset Management 2 (ID.AM-2)

#CISOlife - NIST CSF - Identify - Asset Management 3 (ID.AM-3)

#CISOlife - NIST CSF - Identify - Asset Management 4 (ID.AM-4)

#CISOlife - NIST CSF - Identify - Asset Management 2 (ID.AM-2)

Software platforms and applications within the organization are inventoried Has an inventory of the components of the system been developed, documented and maintained that accurately reflects the current system? Has an inventory of the components of the system been developed, documented, and maintained that includes defined information deemed necessary to achieve effective property accountability? Is there a defined list of software programs not authorized to execute on the system? Is the authorization policy an allow-all, deny-by-exception for software allowed to execute on the system? Is there a defined list of software programs authorized to execute on the system?

#CISOlife - NIST CSF - Identify - Asset Management 2 (ID.AM-2)

Watch next:

#CISOlife - NIST CSF - Identify - Asset Management 3 (ID.AM-3)

#CISOlife - NIST CSF - Identify - Asset Management 4 (ID.AM-4)

#CISOlife - NIST CSF - Identify - Asset Management 5 (ID.AM-5)

#CISOlife - NIST CSF - Identify - Asset Management 3 (ID.AM-3)

Organizational communication and data flows are mapped Does the organization authorize and document interconnection of company owned information system? Does the organization map all communication and data flows?

#CISOlife - NIST CSF - Identify - Asset Management 3 (ID.AM-3)

Watch next:

#CISOlife - NIST CSF - Identify - Asset Management 4 (ID.AM-4)

#CISOlife - NIST CSF - Identify - Asset Management 5 (ID.AM-5)

#CISOlife - NIST CSF - Identify - Asset Management 6 (ID.AM-6)

#CISOlife - NIST CSF - Identify - Asset Management 4 (ID.AM-4)

External information systems are catalogued Are all external information systems catalogued?

#CISOlife - NIST CSF - Identify - Asset Management 4 (ID.AM-4)

Watch next:

#CISOlife - NIST CSF - Identify - Asset Management 5 (ID.AM-5)

#CISOlife - NIST CSF - Identify - Asset Management 6 (ID.AM-6)

#CISOlife - NIST CSF - Identify - Risk Assessment 1 (ID.RA-1)

#CISOlife - NIST CSF - Identify - Asset Management 5 (ID.AM-5)

Resources (e.g., hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value Are information and systems categorized in accordance with applicable management orders, policies, regulations, standards, and guidance? Are the security categorization results documented in the system security plan? Does the organization identify critical information system assets? Are information and systems categorized in accordance with business risk, policies, regulations, standards, and guidance? Are the security categorization results documented and prioritized in the system security plan?

#CISOlife - NIST CSF - Identify - Asset Management 5 (ID.AM-5)

Watch next:

#CISOlife - NIST CSF - Identify - Asset Management 6 (ID.AM-6)

#CISOlife - NIST CSF - Identify - Risk Assessment 1 (ID.RA-1)

#CISOlife - NIST CSF - Identify - Risk Assessment 2 (ID.RA-2)

#CISOlife - NIST CSF - Identify - Asset Management 6 (ID.AM-6)

Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established Does the security team assign roles and responsibilities in accordance with the policies and confirm that processes are in place to protect company assets and critical information? Does the system security policy address the scope of the security program as it applies to all organizational staff and third-party contractors? Is the contingency plan distributed to a defined list of key contingency personnel and organizational elements? Are contingency plan changes communicated to a defined list of key contingency personnel and organizational elements?

#CISOlife - NIST CSF - Identify - Asset Management 6 (ID.AM-6)

Watch next:

#CISOlife - NIST CSF - Identify - Risk Assessment 1 (ID.RA-1)

#CISOlife - NIST CSF - Identify - Risk Assessment 2 (ID.RA-2)

#CISOlife - NIST CSF - Identify - Risk Assessment 3 (ID.RA-3)

#CISOlife - NIST CSF - Identify - Risk Assessment 1 (ID.RA-1)

Asset vulnerabilities are identified and documented Has a risk management plan been developed? Are periodic, unannounced, in-depth monitoring, penetration testing, and red team exercises included as part of the security control assessments? Are potential security threats, vulnerabilities, and consequences identified, classified, prioritized, and analyzed using accepted methodologies? Are system flaws identified, reported, and corrected? Does the organization update the information system vulnerabilities list when new vulnerabilities are identified and reported?

#CISOlife - NIST CSF - Identify - Risk Assessment 1 (ID.RA-1)

Watch next:

#CISOlife - NIST CSF - Identify - Risk Assessment 2 (ID.RA-2)

#CISOlife - NIST CSF - Identify - Risk Assessment 3 (ID.RA-3)

#CISOlife - NIST CSF - Identify - Risk Assessment 4 (ID.RA-4)

#CISOlife - NIST CSF - Identify - Risk Assessment 2 (ID.RA-2)

Threat and vulnerability information is received from information sharing forums and sources Are system security alerts, advisories, and directives received from designated external organizations on an ongoing basis? Are security alerts, advisories, and directives disseminated to a list of personnel? Does the organization implement a threat awareness program that includes a cross-organization information-sharing capability?

#CISOlife - NIST CSF - Identify - Risk Assessment 2 (ID.RA-2)

Watch next:

#CISOlife - NIST CSF - Identify - Risk Assessment 3 (ID.RA-3)

#CISOlife - NIST CSF - Identify - Risk Assessment 4 (ID.RA-4)

#CISOlife - NIST CSF - Identify - Risk Assessment 5 (ID.RA-5)

#CISOlife - NIST CSF - Identify - Risk Assessment 3 (ID.RA-3)

Threats, both internal and external, are identified and documented Are potential security threats, vulnerabilities, and consequences identified, classified, prioritized, and analyzed using accepted methodologies? Does the organization implement an insider threat program that includes a cross-discipline insider threat incident handling team?

#CISOlife - NIST CSF - Identify - Risk Assessment 3 (ID.RA-3)

Watch next:

#CISOlife - NIST CSF - Identify - Risk Assessment 4 (ID.RA-4)

#CISOlife - NIST CSF - Identify - Risk Assessment 5 (ID.RA-5)

#CISOlife - NIST CSF - Identify - Risk Assessment 6 (ID.RA-6)

#CISOlife - NIST CSF - Identify - Risk Assessment 4 (ID.RA-4)

Potential business impacts and likelihoods are identified Is the risk assessment plan updated annually or whenever significant changes occur to the system, the facilities where the system resides, or other conditions that may affect the security or accreditation status of the system? Has a risk management plan been developed? Are the security categorization results documented in the system security plan? Are potential security threats, vulnerabilities, and consequences identified, classified, prioritized, and analyzed using accepted methodologies? Is there a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations?

#CISOlife - NIST CSF - Identify - Risk Assessment 4 (ID.RA-4)

Watch next:

#CISOlife - NIST CSF - Identify - Risk Assessment 5 (ID.RA-5)

#CISOlife - NIST CSF - Identify - Risk Assessment 6 (ID.RA-6)

#CISOlife - NIST CSF - Identify - Asset Management 1 (ID.AM-1)

#CISOlife - NIST CSF - Identify - Risk Assessment 5 (ID.RA-5)

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk Has a risk management plan been developed? Are potential security threats, vulnerabilities, and consequences identified, classified, prioritized, and analyzed using accepted methodologies?

#CISOlife - NIST CSF - Identify - Risk Assessment 5 (ID.RA-5)

Watch next:

#CISOlife - NIST CSF - Identify - Risk Assessment 6 (ID.RA-6)

#CISOlife - NIST CSF - Identify - Asset Management 1 (ID.AM-1)

#CISOlife - NIST CSF - Identify - Asset Management 2 (ID.AM-2)

#CISOlife - NIST CSF - Identify - Risk Assessment 6 (ID.RA-6)

Risk responses are identified and prioritized Does the plan of action call out remedial security actions to mitigate risk to organizational operations and assets, individuals, other organizations? Is there a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations? Is the risk management strategy implemented consistently across the organization? Are risk-reduction mitigation measures identified and prioritized? Is there a detailed mitigation strategy for individual systems that addresses risk and is there a comprehensive strategy?

#CISOlife - NIST CSF - Identify - Risk Assessment 6 (ID.RA-6)

Watch next:

#CISOlife - NIST CSF - Identify - Asset Management 1 (ID.AM-1)

#CISOlife - NIST CSF - Identify - Asset Management 2 (ID.AM-2)

#CISOlife - NIST CSF - Identify - Asset Management 3 (ID.AM-3)