SAMMY UI is optimized for resolutions with a width 1024px and higher.
NIST CSF 2.0
Browse NIST CSF 2.0
ID.IM-01 ID.IM-02 ID.IM-03 ID.IM-04
Tests and Exercises
ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties
  • Ex1:  Identify improvements for future incident response activities based on findings from incident response assessments (e.g., tabletop exercises and simulations, tests, internal reviews, independent audits)
  • Ex2:  Identify improvements for future business continuity, disaster recovery, and incident response activities based on exercises performed in coordination with critical service providers and product suppliers
  • Ex3:  Involve internal stakeholders (e.g., senior executives, legal department, HR) in security tests and exercises as appropriate
  • Ex4:  Perform penetration testing to identify opportunities to improve the security posture of selected high-risk systems as approved by leadership
  • Ex5:  Exercise contingency plans for responding to and recovering from the discovery that products or services did not originate with the contracted supplier or partner or were altered before receipt
  • Ex6:  Collect and analyze performance metrics using security tools and services to inform improvements to the cybersecurity program
Tier
Not Applicable - Not applicable
No - The outcome(s) have not been meaningfully implemented.
Tier 1: Partial - Application of the organizational cybersecurity risk strategy is managed in an ad hoc manner. Prioritization is ad hoc and not formally based on objectives or threat environment.
Tier 2: Risk Informed - Risk management practices are approved by management but may not be established as organization-wide policy. The prioritization of cybersecurity activities and protection needs is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
Tier 3: Repeatable - The organization’s risk management practices are formally approved and expressed as policy. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements, threats, and technological landscape.
Tier 4: Adaptive - There is an organization-wide approach to managing cybersecurity risks that uses risk-informed policies, processes, and procedures to address potential cybersecurity events.
Description

Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties