Organizational communication and data flows are mapped from Cybersecurity Fundamentals framework

SAMMY UI is optimized for resolutions with a width 1024px and higher.

ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value

ID.AM-6: Cybersecurity roles, responsibilities, and authorities for the entire workforce and third-party stakeholders are established

Maturity Level 1

Maturity Level 2

Maturity Level 3

ID.AM-3.1

ID.AM-3.1: Information that the organization stores and uses shall be identified.

Start by listing all the types of information your business stores or uses. Define “information type” in any useful way that makes sense to your business. You may want to have your employees make a list of all the information they use in their regular activities. List everything you can think of, but you do not need to be too specific. For example, you may keep customer names and email addresses, receipts for raw material, your banking information, or other proprietary information.
Consider mapping this information with the associated assets identified in the inventories of physical devices, systems, software platforms and applications used within the organization (see ID.AM-1 and ID.AM-2).

Description

Information that the organization stores and uses shall be identified.

ID.AM-3.2

ID.AM-3.2: All connections within the organization's ICT/OT environment, and to other organization-internal platforms shall be mapped, documented, approved, and updated as appropriate.

Connection information includes, for example, the interface characteristics, data characteristics, ports, protocols, addresses, description of the data, security requirements, and the nature of the connection.
Configuration management can be used as supporting asset.
This documentation should not be stored only on the network it represents.
Consider keeping a copy of this documentation in a safe offline environment (e.g. offline hard disk, paper hardcopy, …)

Description

All connections within the organization's ICT/OT environment, and to other organization-internal platforms shall be mapped, documented, approved, and updated as appropriate.

ID.AM-3.3

ID.AM-3.3: The information flows/data flows within the organization’s ICT/OT environment, as well as to other organization-internal systems shall be mapped, documented, authorized, and updated when changes occur.

With knowledge of the information/data flows within a system and between systems, it is possible to determine where information can and cannot go.
Consider:
oEnforcing controls restricting connections to only authorized interfaces.
oHeightening system monitoring activity whenever there is an indication of increased risk to organization's critical operations and assets.
oProtecting the system from information leakage due to electromagnetic signals emanations.

Description

The information flows/data flows within the organization’s ICT/OT environment, as well as to other organization-internal systems shall be mapped, documented, authorized, and updated when changes occur.