SAMMY UI is optimized for resolutions with a width 1024px and higher.
Plans Affecting Operations
ID.IM-04: Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved
  • Ex1:  Establish contingency plans (e.g., incident response, business continuity, disaster recovery) for responding to and recovering from adverse events that can interfere with operations, expose confidential information, or otherwise endanger the organization’s mission and viability
  • Ex2:  Include contact and communication information, processes for handling common scenarios, and criteria for prioritization, escalation, and elevation in all contingency plans
  • Ex3:  Create a vulnerability management plan to identify and assess all types of vulnerabilities and to prioritize, test, and implement risk responses
  • Ex4:  Communicate cybersecurity plans (including updates) to those responsible for carrying them out and to affected parties
  • Ex5:  Review and update all cybersecurity plans annually or when a need for significant improvements is identified
Tier
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Incident response plans and other cybersecurity plans that affect operations are established, communicated, maintained, and improved