Evidence of NIST Compliance

NIST
Assessment
Evidence of NIST Compliance
CONFIDENTIALITY NOTE: The information contained in this report document

is for the exclusive use of the client specified above and may contain Prepared for:
confidential, privileged and non-disclosable information. If the recipient of this
report is not the client or addressee, such recipient is strictly prohibited from Your Client's Company
reading, photocopying, distributing or otherwise using this report or its contents
in any way.
Prepared by:
Scan Date: 30-Dec-2019
YourIT Company
02-Jan-2020
NIST ASSESSMENT
Table of Contents
1 - Overview
2 - Overall Risk
3 - Identify (ID)
3.1 - Asset Management (ID.AM)
3.1.1 - Physical devices and system
3.1.2 - Software platforms and applications
3.1.3 - Organization communication and data flows
3.1.4 - External information systems
3.1.5 - Resource prioritization
3.1.6 - Cybersecurity roles and responsibilities
3.2 - Business Environment (ID.BE)
3.2.1 - Role in Supply Chain
3.2.2 - Role in Critical Infrastructure and Industry Sector
3.2.3 - Priorities for Organizational Mission, Objectives, and Activities
3.2.4 - Delivery of Critical Services
3.2.5 - Resilience Requirements
3.3 - Governance (ID.GV)
3.3.1 - Organizational Cybersecurity Policy
3.3.2 - Cybersecurity Roles and Responsibilities
3.3.3 - Legal and Regulatory Requirements Regarding Cybersecurity
3.3.4 - Addressing Cybersecurity Risks
3.4 - Risk Assessment (ID.RA)
3.4.1 - Asset Vulnerabilities
3.4.2 - Cyber Threat Intelligence
3.4.3 - Risk Assessment
3.5 - Risk Management Strategy (ID.RM)
3.5.1 - Risk Management Strategy
3.6 - Supply Chain Risk Management (ID.SC)
3.6.1 - Supply Chain Risk Management
3.6.2 - Supply Chain Risk Assessment
3.6.3 - Supply Chain Contracts
3.6.4 - Assessment of Suppliers and Third-Party Partners
PROPRIETARY & CONFIDENTIAL Page 2 of 42

NIST ASSESSMENT
3.6.5 - Response and recovery with Suppliers and Third-Party Partners

4 - Protect (PR)
4.1 - Identity Management, Authentication and Access Control (PR.AC)
4.1.1 - Identity and Credential Management
4.1.2 - Physical Access
4.1.3 - Remote Access
4.1.4 - Access Permissions and Authorization
4.1.5 - Network Segregation and Segmentation
4.1.6 - Use of Identities in Interactions
4.1.7 - Asset Authentication
4.2 - Awareness and Training (PR.AT)
4.2.1 - All Users
4.2.2 - Privileged Users
4.2.3 - Third-party Stakeholders
4.2.4 - Senior Executives
4.2.5 - Physical and Cybersecurity Personnel
4.3 - Data Security (PR.DS)
4.3.1 - Data-at-rest
4.3.2 - Data-in-transit
4.3.3 - Asset Removal, Transfers, and Disposition
4.3.4 - Data Capacity
4.3.5 - Protections Against Data Leaks
4.3.6 - Software, Firmware, and Information Integrity
4.3.7 - Separation of Development/Testing from Production Environments
4.3.8 - Hardware Integrity
4.4 - Information Protection Processes and Procedures (PR.IP)
4.4.1 - Information Technology/Industrial Control Systems
4.4.2 - System Development Life Cycle
4.4.3 - Configuration Change Control Processes
4.4.4 - Information Backups
4.4.5 - Physical Operating Environment
4.4.6 - Data Destruction
4.4.7 - Protection Process Improvement

NIST ASSESSMENT
4.4.8 - Protection Process Effectiveness

4.4.9 - Response and Recovery Plans
4.4.10 - Response and Recovery Plan Testing
4.4.11 - Human Resources Practices
4.4.12 - Vulnerability Management Plan
4.5 - Maintenance (PR.MA)
4.5.1 - Maintenance and Repair of Organizational Assets
4.5.2 - Remote Maintenance of Organizational Assets
4.6 - Protective Technology (PR.PT)
4.6.1 - Audit/Log Records
4.6.2 - Removable Media
4.6.3 - Principle of Least Functionality
4.6.4 - Communication and Control Networks
5 - Detect (DE)
5.1 - Anomalies and Events (DE.AE)
5.1.2 - Event Analysis
5.1.3 - Event Correlation
5.1.4 - Event Impact
5.1.5 - Incident Alert Thresholds
5.2 - Security Continuous Monitoring (DE.CM)
5.2.1 - Network Monitoring
5.2.2 - Physical Environment
5.2.3 - Personnel Activity
5.2.4 - Malicious Code Detection
5.2.5 - Unauthorized Mobile Code
5.2.6 - External Service Provider Activity
5.2.7 - Unauthorized Personnel, Connections, Devices, and Software
5.2.8 - Vulnerability Scans
5.3 - Detection Processes (DE.DP)
5.3.1 - Roles and Responsibilities
5.3.2 - Detection Activity Requirements

NIST ASSESSMENT
5.3.3 - Detection Process Testing

5.3.4 - Communication of Event Detection Information
5.3.5 - Continuous Improvement
6 - Respond (RS)
6.1 - Response Planning (RS.RP)
6.1.1 - Response Plan
6.2 - Communications (RS.CO)
6.2.1 - Personnel Training
6.2.2 - Incident Reporting
6.2.3 - Information Sharing
6.2.4 - Coordination with Stakeholders
6.2.5 - Information Sharing with External Stakeholders
6.3 - Analysis (RS.AN)
6.3.1 - Incident Analysis
6.4 - Mitigation (RS.MI)
6.4.1 - Incident Mitigation
6.5 - Improvements (RS.IM)
6.5.1 - Lessons Learned
6.5.2 - Response Strategy Updates
7 - Recover (RC)
7.1.1 - Recovery Plan
7.2 - Improvements (RC.IM)
7.2.2 - Recovery Strategy Updates
7.3 - Communications (RC.CO)
7.3.1 - Public Relations
7.3.2 - Reputation Repair
7.3.3 - Recovery Activity Communication

NIST ASSESSMENT
1 - Overview
While our organization currently does not have written Policies & Procedures that describe in detail the
tasks that we have committed to undertake to adhere to the NIST Cyber Security Framework (CSF), we
are committed to adopting one. *
We perform a periodic assessment of our environment with regards to the principals and functions set as
part of the NIST CSF. The assessment consists of automated scans in conjunction with a review by an
Internal Auditor. This document contains both direct evidence of compliance along with attestations by
the Internal Auditor based on a review of materials and supporting documentation. The methodology for
the review and supporting documentation can be found in the various worksheets and documents
(referenced in the NIST Auditor Checklist). Issues are noted in the Risk Analysis and Risk Treatment
Plan.
This document supplements the Risk Analysis and Risk Treatment Plan and offers substantiation and
verification of policy compliance.
* The issue is noted in the Risk Treatment Plan.
Security Officer
Name of Security Officer:
J Simpson
Contact Information for Security Officer:
jsimpson@myclientsnetwork.com

NIST ASSESSMENT
2 - Overall Risk
We have performed a Risk Assessment as part of our routine NIST compliance review. See the attached
NIST Risk Analysis and NIST Risk Treatment Plan.

NIST ASSESSMENT
3 - Identify (ID)
3.1 - Asset Management (ID.AM)

Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the
organization to achieve business purposes are identified and managed consistent with their relative
importance to organizational objectives and the organization's risk.
3.1.1 - Physical devices and system
ID.AM-1: Physical devices and systems within the organization are inventoried
An automated inventory of assets in the network was performed as part of this assessment. The
discovered assets can be seen in the Asset Inventory Worksheet.
3.1.2 - Software platforms and applications
ID.AM-2: Software platforms and applications within the organization are inventoried
An automated inventory of installed software was performed as part of this assessment. The discovered
assets can be seen in the Application Inventory Worksheet.
3.1.3 - Organization communication and data flows
ID.AM-3: Organizational communication and data flows are mapped
Organizational communication and data flows are not mapped.
The issue is noted in the Risk Treatment Plan.
3.1.4 - External information systems
ID.AM-4: External information systems are catalogued
The following information systems were catalogued as a part of this assessment:
Name Description Purpose Business Owner Criticality

Google Docs Document publication Marketing Maraketing High
and management
SalesForce.com CRM Sales Sales Critical
QuickBooks Accounting system Accounting Operations High
Fusebill Credit Card billing E-Commerce Site Sales Critical
system

NIST ASSESSMENT
3.1.5 - Resource prioritization
ID.AM-5: Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized
based on their classification, criticality, and business value
As part of the assessment process, resources are assessed for their criticality. Prioritization is placed on
critical assets over less critical assets.
3.1.6 - Cybersecurity roles and responsibilities
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders
(e.g., suppliers, customers, partners) are established
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders are
not established in the organization's Policies and Procedures.
3.2 - Business Environment (ID.BE)

Business Environment (ID.BE): The organization's mission, objectives, stakeholders, and activities
are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities,
and risk management decisions.
3.2.1 - Role in Supply Chain
ID.BE-1: The organization's role in the supply chain is identified and communicated
The organization's role in the supply chain has not been identified and communicated to key
stakeholders.
3.2.2 - Role in Critical Infrastructure and Industry Sector
ID.BE-2: The organization's place in critical infrastructure and its industry sector is identified and
communicated
The organization's role in critical infrastructure and its industry sector has not been identified and
communicated to key stakeholders.

NIST ASSESSMENT
3.2.3 - Priorities for Organizational Mission, Objectives, and Activities
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and
communicated
The priorities for organizational mission, objectives, and activities have not been established and
communicated to key stakeholders.
3.2.4 - Delivery of Critical Services
ID.BE-4: Dependencies and critical functions for delivery of critical services are established
The dependencies and critical functions for delivery of critical services have not been established.
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operating
states (e.g. under duress/attack, during recovery, normal operations)
The resilience requirements to support delivery of critical services are not established for all
operating states (e.g. under duress/attack, during recovery, normal operations).
3.3 - Governance (ID.GV)

Governance (ID.GV): The policies, procedures, and processes to manage and monitor the
organization's regulatory, legal, risk, environmental, and operational requirements are understood and
inform the management of cybersecurity risk.
3.3.1 - Organizational Cybersecurity Policy
ID.GV-1: Organizational cybersecurity policy is established and communicated
The organizational cybersecurity policy has not been established and communicated.
3.3.2 - Cybersecurity Roles and Responsibilities

NIST ASSESSMENT
ID.GV-2: Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and
external partners
Cybersecurity roles and responsibilities are not coordinated and aligned with internal roles and
external partners.
3.3.3 - Legal and Regulatory Requirements Regarding Cybersecurity
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
obligations, are understood and managed
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
obligations, are not understood and managed.
3.3.4 - Addressing Cybersecurity Risks
ID.GV-4: Governance and risk management processes address cybersecurity risks
Our governance and risk management processes are designed to address cybersecurity risks through
continuous risk assessment and remediation.
3.4 - Risk Assessment (ID.RA)

Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational
operations (including mission, functions, image, or reputation), organizational assets, and individuals.
3.4.1 - Asset Vulnerabilities
ID.RA-1: Asset vulnerabilities are identified and documented
As part of the Risk Assessment process, a scan for missing critical security patches on Windows assets
was performed. The results are found in the Windows Patch Summary Report.
Risks are noted in the Risk Treatment Plan.
3.4.2 - Cyber Threat Intelligence
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources

NIST ASSESSMENT
As part of our efforts to stay informed on the latest cyber threats, our organization subscribes to the
following sources:
Source URL
Mitre www.mitre.org
3.4.3 - Risk Assessment
ID.RA-3: Threats, both internal and external, are identified and documented
ID.RA-4: Potential business impacts and likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
ID.RA-6: Risk responses are identified and prioritized
As part of this assessment process, our organization performs a Risk Assessment that identifies risk both
internal and external. Discovered issues are documented in the following documents:
● NIST Risk Analysis

● NIST Risk Treatment Plan
● NIST External Vulnerability Scan Detail by Issue Report
● NIST Full Detail Excel Export
● NIST Windows Patch Summary
Business, impact, likelihood, along with prioritization, can be found in the Risk Treatment Plan.
3.5 - Risk Management Strategy (ID.RM)

Risk Management Strategy (ID.RM): The organization's priorities, constraints, risk tolerances, and
assumptions are established and used to support operational risk decisions.
3.5.1 - Risk Management Strategy
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational
stakeholders
ID.RM-2: Organizational risk tolerance is determined and clearly expressed
ID.RM-3: The organization's determination of risk tolerance is informed by its role in critical
infrastructure and sector specific risk analysis
Our organization currently does not have a Risk Management Strategy that meets the criteria set
forth in the NIST Cybersecurity Framework.
3.6 - Supply Chain Risk Management (ID.SC)

NIST ASSESSMENT
Supply Chain Risk Management (ID.SC): The organization's priorities, constraints, risk tolerances,
and assumptions are established and used to support risk decisions associated with managing supply
chain risk. The organization has established and implemented the processes to identify, assess and
manage supply chain risks.
3.6.1 - Supply Chain Risk Management
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed,
managed, and agreed to by organizational stakeholders
Our organization currently does not have an established, assessed, and managed Supply Chain
Risk Management Strategy agreed to by organizational stakeholders.
3.6.2 - Supply Chain Risk Assessment
ID.SC-2: Suppliers and third-party partners of information systems, components, and services are
identified, prioritized, and assessed using a cyber supply chain risk assessment process
Cyber supply chain risk assessment process:
None
3.6.3 - Supply Chain Contracts
ID.SC-3: Contracts with suppliers and third-party partners are used to implement appropriate measures
designed to meet the objectives of an organization's cybersecurity program and Cyber Supply Chain
Risk Management Plan.
A description of the cyber supply chain risk assessment process was not provided.
3.6.4 - Assessment of Suppliers and Third-Party Partners
ID.SC-4: Suppliers and third-party partners are routinely assessed using audits, test results, or other
forms of evaluations to confirm they are meeting their contractual obligations
Our suppliers and third-party partners are not routinely assessed using audits, test results, or
other forms of evaluations to confirm they are meeting their contractual obligations.
3.6.5 - Response and recovery with Suppliers and Third-Party Partners

NIST ASSESSMENT
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party
providers
Our organization does not include our suppliers and third-party providers as part of our response
and recovery planning and testing.

NIST ASSESSMENT
4 - Protect (PR)
4.1 - Identity Management, Authentication and Access Control

(PR.AC)
Identity Management, Authentication and Access Control (PR.AC): Access to physical and logical
assets and associated facilities is limited to authorized users, processes, and devices, and is managed
consistent with the assessed risk of unauthorized access to authorized activities and transactions.
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized
devices, users and processes
Our organization does not have a documented process in place to issue, manage, verify, revoke
and audit for authorized devices, users and processes.
As part of the assessment process an audit of authorized devices and users was performed.
Details of the audit can be found in the User Access Review Worksheet and the Asset Inventory
Worksheet.
Audit Results
Criteria Findings Assessment

Terminated Users with Enabled 5 FAIL
Accounts
Unauthorized Devices 2 FAIL
4.1.2 - Physical Access
PR.AC-2: Physical access to assets is managed and protected
Physical access was not found to be managed and properly protected.
4.1.3 - Remote Access
PR.AC-3: Remote access is managed

NIST ASSESSMENT
Remote access was not found to be managed.
4.1.4 - Access Permissions and Authorization
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least
privilege and separation of duties
As part of the assessment process, an Administrator review and review of Security Groups is performed.
Administrator Review
Domain Administrators and Administrators in general tend to have a higher level of access than another
user and should be clearly identified. The following is a list of all users with administrative roles regarding
the network environment.
Domain: myclientsnetwork.com
More than 30 % of the users are in the Domain Administrator group and have unfettered access to
files and system resources. *
Username Name Member Of

abadmin * A Branaugh Domain Admins
Users
ajadmin * A Smith Domain Admins
Users
Administrator * Administrator Administrators
Builtin
Domain Admins
Enterprise Admins
Group Policy Creator Owners
Schema Admins
Users
dadmin * D Brown admin
Administrators
Builtin
Domain Admins
Enterprise Admins
Schema Admins
Users
dkadmin * D Kindle Domain Admins
QA
Users
dwadmin * D White Domain Admins
Users
jsadmin * J Shearing Domain Admins
QA
Users
jwadmin * J Westerfield Domain Admins
Users

NIST ASSESSMENT
Username Name Member Of

lwadmin * L Wilson Domain Admins
QA
Users
mgadmin * M Green Domain Admins
QA
Users
mpadmin * M Peters Domain Admins
Users
msadmin * M Simpson Domain Admins
Users
pkadmin * P Kettering Domain Admins
Users
psadmin * P Sulu Domain Admins
Users
skadmin * S Kulynee Domain Admins
QA
Users
thadmin * T Harris Domain Admins
Users
uadmin * unitbdr admin admin
Administrators
Builtin
Domain Admins
Enterprise Admins
Schema Admins
Users
wpadmin * W Paulson Domain Admins
Users
* See Compensating Control Worksheet.
Security Groups
Security Groups are used to segment permissions allowing for least privilege access to resources.
Domain: myclientsnetwork.com
Group Name Members

Access Control Assistance Operators
(myclientsnetwork.com/Builtin/Access
Control Assistance Operators)
0 Total: 0 Enabled, 0 Disabled
Account Operators
(myclientsnetwork.com/Builtin/Account
Operators)

NIST ASSESSMENT
Group Name Members

Accounting Enabled: Jabez Kristian, Jacob Ashter, Janet Gross, Jone DeJesus, Stan
(myclientsnetwork.com/Groups/Account James
ing)
admin Enabled: D Brown, unitbdr admin

(myclientsnetwork.com/Groups/admin)
Administrators Enabled: A Smith, Administrator, D Brown, D Kindle, D White, J Shearing,

(myclientsnetwork.com/Builtin/Administr J Westerfield, L Wilson, M Green, M Peters, M Simpson, P Kettering, P
ators) Sulu, T Harris, unitbdr admin, W Paulson
18 Total: 16 Enabled, 2 Disabled Disabled: A Branaugh, S Kulynee
Allowed RODC Password Replication

Group
(myclientsnetwork.com/Users/Allowed
RODC Password Replication Group)
Backup Operators
(myclientsnetwork.com/Builtin/Backup
Operators)
Cert Publishers
(myclientsnetwork.com/Users/Cert
Publishers)
Certificate Service DCOM Access

(myclientsnetwork.com/Builtin/Certificat
e Service DCOM Access)
Cloneable Domain Controllers

(myclientsnetwork.com/Users/Cloneabl
e Domain Controllers)
Cryptographic Operators
(myclientsnetwork.com/Builtin/Cryptogr
aphic Operators)
Denied RODC Password Replication Enabled: A Smith, Administrator, D Brown, D Kindle, D White, DC01,
Group DC02, J Shearing, J Westerfield, L Wilson, M Green, M Peters, M
(myclientsnetwork.com/Users/Denied Simpson, P Kettering, P Sulu, T Harris, unitbdr admin, W Paulson
RODC Password Replication Group) Disabled: A Branaugh, S Kulynee
DHCP Administrators

NIST ASSESSMENT
Group Name Members

(myclientsnetwork.com/Users/DHCP
Administrators)
DHCP Users
(myclientsnetwork.com/Users/DHCP
Users)
Distributed COM Users

(myclientsnetwork.com/Builtin/Distribut
ed COM Users)
DnsAdmins
(myclientsnetwork.com/Users/DnsAdmi
ns)
DnsUpdateProxy
(myclientsnetwork.com/Users/DnsUpda
teProxy)
Domain Admins Enabled: A Smith, Administrator, D Brown, D Kindle, D White, J Shearing,

(myclientsnetwork.com/Users/Domain J Westerfield, L Wilson, M Green, M Peters, M Simpson, P Kettering, P
Admins) Sulu, T Harris, unitbdr admin, W Paulson
18 Total: 16 Enabled, 2 Disabled Disabled: A Branaugh, S Kulynee
Domain Computers Enabled: APPSVR01, BACKUP01, DESKPC-09UPSPO, DESKPC-

(myclientsnetwork.com/Users/Domain 191IJQL, DESKPC-35EGQCC, DESKPC-4171AR0, DESKPC-4PF2ICP,
Computers) DESKPC-534MS45, DESKPC-85BJGJT, DESKPC-BDJFFLG, DESKPC-
35 Total: 35 Enabled, 0 Disabled F0M1O27, DESKPC-F6CKERQ, DESKPC-HN95P9Q, DESKPC-LIFRCFU,
DESKPC-MA551PF, DESKPC-MJOD0L9, DESKPC-QFC42PE, DESKPC-
RB3LBP3, DESKPC-U1K3NAF, EXCHSVR01, FILESVR01, HVSVR1,
SQLSVR01, SQLSVR02, WRKSTN10-1, WRKSTN10-2, WRKSTN10-3,
WRKSTN10-4, WRKSTN7-1, WRKSTN7-2, WRKSTN8-1, WRKSTN8-2,
WRKSTN8-3, WRKSTN8-4, WS2012SVR
Domain Controllers Enabled: DCTLR01, DCTLR02
(myclientsnetwork.com/Users/Domain
Controllers)
Domain Guests Disabled: Guest

(myclientsnetwork.com/Users/Domain
Guests)
Domain Users Enabled: A Smith, Aaron Rogers, Administrator, D Brown, D Kindle, D

(myclientsnetwork.com/Users/Domain White, Eric Bland, J Shearing, J Westerfield, Jabez Kristian, Jacob Ashter,
Users) Janet Gross, Janet Knight, Jerry Coleman, John Camps, Jone DeJesus, L
33 Total: 30 Enabled, 3 Disabled Wilson, M Green, M Peters, M Simpson, Marley Jones, M Talman, P
Kettering, Pat Wysocki, P Sulu, Stan James, T Harris, Tin Shields, unitbdr
admin, W Paulson

NIST ASSESSMENT
Group Name Members

Disabled: A Branaugh, DefaultAccount, S Kulynee
Engineering Enabled: Jacob Ashter, Janet Gross, Janet Knight, John Camps, Jone
(myclientsnetwork.com/Groups/Engine DeJesus, Tin Shields
ering)
Enterprise Admins Enabled: Administrator, D Brown, unitbdr admin

(myclientsnetwork.com/Users/Enterpris
e Admins)
Enterprise Key Admins

e Key Admins)
Enterprise Read-only Domain

Controllers
e Read-only Domain Controllers)
Event Log Readers

(myclientsnetwork.com/Builtin/Event
Log Readers)
Group Policy Creator Owners Enabled: Administrator, D Brown, unitbdr admin

(myclientsnetwork.com/Users/Group
Policy Creator Owners)
Guests Disabled: Guest

(myclientsnetwork.com/Builtin/Guests)
Human Resources Enabled: Aaron Rogers, Eric Bland, Jabez Kristian, Jerry Coleman, Marley
(myclientsnetwork.com/Groups/Human Jones, Pat Wysocki, Stan James
Resources)
Hyper-V Administrators
(myclientsnetwork.com/Builtin/Hyper-V
Administrators)
IIS_IUSRS
(myclientsnetwork.com/Builtin/IIS_IUSR
S)
Incoming Forest Trust Builders

NIST ASSESSMENT
Group Name Members

(myclientsnetwork.com/Builtin/Incoming
Forest Trust Builders)
Key Admins
(myclientsnetwork.com/Users/Key
Admins)
Network Configuration Operators

(myclientsnetwork.com/Builtin/Network
Configuration Operators)
Performance Log Users

(myclientsnetwork.com/Builtin/Performa
nce Log Users)
Performance Monitor Users

(myclientsnetwork.com/Builtin/Performa
nce Monitor Users)
Pre-Windows 2000 Compatible Access

(myclientsnetwork.com/Builtin/Pre-
Windows 2000 Compatible Access)
Print Operators
(myclientsnetwork.com/Builtin/Print
Operators)
Protected Users
(myclientsnetwork.com/Users/Protected
Users)
QA Enabled: D Kindle, J Shearing, L Wilson, M Green

(myclientsnetwork.com/Groups/QA) Disabled: S Kulynee
RAS and IAS Servers

(myclientsnetwork.com/Users/RAS and
IAS Servers)
RDS Endpoint Servers

(myclientsnetwork.com/Builtin/RDS
Endpoint Servers)

NIST ASSESSMENT
Group Name Members

RDS Management Servers
Management Servers)
RDS Remote Access Servers

Remote Access Servers)
Read-only Domain Controllers

(myclientsnetwork.com/Users/Read-
only Domain Controllers)
Remote Desktop Users

(myclientsnetwork.com/Builtin/Remote
Desktop Users)
Remote Management Users

(myclientsnetwork.com/Builtin/Remote
Management Users)
Replicator
(myclientsnetwork.com/Builtin/Replicato
r)
Schema Admins Enabled: Administrator, D Brown, unitbdr admin

(myclientsnetwork.com/Users/Schema
Admins)
Server Operators
(myclientsnetwork.com/Builtin/Server
Operators)
Storage Replica Administrators

(myclientsnetwork.com/Builtin/Storage
Replica Administrators)
System Managed Accounts Group Disabled: DefaultAccount

(myclientsnetwork.com/Builtin/System
Managed Accounts Group)
Terminal Server License Servers

(myclientsnetwork.com/Builtin/Terminal
Server License Servers)

NIST ASSESSMENT
Group Name Members

Users Enabled: A Smith, Aaron Rogers, Administrator, D Brown, D Kindle, D

(myclientsnetwork.com/Builtin/Users) White, Eric Bland, J Shearing, J Westerfield, Jabez Kristian, Jacob Ashter,
33 Total: 30 Enabled, 3 Disabled Janet Gross, Janet Knight, Jerry Coleman, John Camps, Jone DeJesus, L
Wilson, M Green, M Peters, M Simpson, Marley Jones, M Talman, P
Kettering, Pat Wysocki, P Sulu, Stan James, T Harris, Tin Shields, unitbdr
admin, W Paulson
Disabled: A Branaugh, DefaultAccount, S Kulynee
Windows Authorization Access Group
(myclientsnetwork.com/Builtin/Windows
Authorization Access Group)
4.1.5 - Network Segregation and Segmentation
PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)
Our organization does not currently protect network integrity through network segregation,
network segmentation, or other means.
4.1.6 - Use of Identities in Interactions
PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions
Our organization uses Active Directory for user management to assert identities and verify them against
credentials. The users are used as the basis for determining access rights.
The following applications and external systems were verified for use of authentication:
Application Is Authentication Required

Sales Force Yes
etrigue No
Office365 Yes
Happy Fox Yes
4.1.7 - Asset Authentication
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor)
commensurate with the risk of the transaction (e.g., individuals' security and privacy risks and other
organizational risks)

NIST ASSESSMENT
A review of the authentication methods used for users, devices, and other assets was performed looking
for deficiencies where the method of authentication (e.g., single-factor, multi-factor) not commensurate
with the risk of the transaction (e.g., individuals' security and privacy risks and other organizational risks)
No issues were found.
4.2 - Awareness and Training (PR.AT)

Awareness and Training (PR.AT): The organization's personnel and partners are provided
cybersecurity awareness education and are trained to perform their cybersecurity-related duties and
responsibilities consistent with related policies, procedures, and agreements.
4.2.1 - All Users
PR.AT-1: All users are informed and trained
All users have not received cybersecurity awareness education and training as part of their on-
boarding and on a routine basis.
4.2.2 - Privileged Users
PR.AT-2: Privileged users understand their roles and responsibilities
Privileged users have not received enhanced cybersecurity awareness education and training
describing their roles and responsibilities.
4.2.3 - Third-party Stakeholders
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and
responsibilities
We have not communicated to third-party stakeholders their roles and responsibilities with
regards to cybersecurity.
4.2.4 - Senior Executives
PR.AT-4: Senior executives understand their roles and responsibilities

NIST ASSESSMENT
Senior executives have not received enhanced cybersecurity awareness education and training
describing their roles and responsibilities.
4.2.5 - Physical and Cybersecurity Personnel
PR.AT-5: Physical and cybersecurity personnel understand their roles and responsibilities
Physical and cybersecurity personnel have not received enhanced cybersecurity awareness
education and training describing their roles and responsibilities.
4.3 - Data Security (PR.DS)

Data Security (PR.DS): Information and records (data) are managed consistent with the organization's
risk strategy to protect the confidentiality, integrity, and availability of information.
4.3.1 - Data-at-rest
PR.DS-1: Data-at-rest is protected
Our organization does not currently protect data-at-rest.
4.3.2 - Data-in-transit
PR.DS-2: Data-at-rest is protected
Our organization does not currently protect data-in-transit.
4.3.3 - Asset Removal, Transfers, and Disposition
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
Our organization does not formally manage assets throughout removal, transfers, and
disposition.

NIST ASSESSMENT
4.3.4 - Data Capacity
PR.DS-4: Adequate capacity to ensure availability is maintained
Our organization does not employ a monitoring system to ensure adequate disk and storage is
available to ensure data availability.
4.3.5 - Protections Against Data Leaks
PR.DS-5: Protections against data leaks are implemented
Firewalls
Our organization does not deploy firewalls between the internal network and all externally facing
network connections.
4.3.6 - Software, Firmware, and Information Integrity
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information
integrity
Our organization does not employ integrity checking mechanisms to verify software, firmware,
and information integrity.
4.3.7 - Separation of Development/Testing from Production Environments
PR.DS-7: The development and testing environment(s) are separate from the production environment
The Development and Testing Environments are not separated from the production environment.
4.3.8 - Hardware Integrity
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
Our organization does not employ integrity checking mechanisms to verify hardware integrity.

NIST ASSESSMENT
4.4 - Information Protection Processes and Procedures (PR.IP)

Information Protection Processes and Procedures (PR.IP): Security policies (that address purpose,
scope, roles, responsibilities, management commitment, and coordination among organizational
entities), processes, and procedures are maintained and used to manage protection of information
systems and assets.
4.4.1 - Information Technology/Industrial Control Systems
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and

maintained incorporating security principles (e.g. concept of least functionality)
Our organization has not created and maintained a baseline configuration of information
technology/industrial control systems incorporating security principles (e.g. concept of least
functionality).
4.4.2 - System Development Life Cycle
PR.IP-2: A System Development Life Cycle to manage systems is implemented
Our organization has not implemented a System Development Life Cycle to manage systems.
4.4.3 - Configuration Change Control Processes
PR.IP-3: Configuration change control processes are in place
Configuration change control processes are not in place in our organization.
4.4.4 - Information Backups
PR.IP-4: Backups of information are conducted, maintained, and tested
Backups of information are not conducted, maintained, and tested.
4.4.5 - Physical Operating Environment

NIST ASSESSMENT
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets
are met
Policy and regulations regarding the physical operating environment for organizational assets are
not met.
4.4.6 - Data Destruction
PR.IP-6: Data is destroyed according to policy
Data is not destroyed according to policy.
4.4.7 - Protection Process Improvement
PR.IP-7: Protection processes are improved
Protection processes are not regularly reviewed and improved.
4.4.8 - Protection Process Effectiveness
PR.IP-8: Effectiveness of protection technologies is shared
The effectiveness of protection technologies is not shared within our organization.
4.4.9 - Response and Recovery Plans
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident
Recovery and Disaster Recovery) are in place and managed
Response plans (Incident Response and Business Continuity) and recovery plans (Incident
Recovery and Disaster Recovery) are not in place and managed.
4.4.10 - Response and Recovery Plan Testing
PR.IP-10: Response and recovery plans are tested

NIST ASSESSMENT
Response and recovery plans have not been tested.
4.4.11 - Human Resources Practices
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel

screening)
Cybersecurity is not included in human resources practices.
4.4.12 - Vulnerability Management Plan
PR.IP-12: A vulnerability management plan is developed and implemented
Our organization does not have in place a vulnerability management plan.
4.5 - Maintenance (PR.MA)

Maintenance (PR.MA): Maintenance and repairs of industrial control and information system
components are performed consistent with policies and procedures.
4.5.1 - Maintenance and Repair of Organizational Assets
PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved
and controlled tools
Maintenance and repair of organizational assets are not performed and logged, with approved and
controlled tools.
4.5.2 - Remote Maintenance of Organizational Assets
PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a

manner that prevents unauthorized access
Remote maintenance of organizational assets is not approved, logged, and performed in a manner
that prevents unauthorized access.

NIST ASSESSMENT
4.6 - Protective Technology (PR.PT)

Protective Technology (PR.PT): Technical security solutions are managed to ensure the security and
resilience of systems and assets, consistent with related policies, procedures, and agreements.
4.6.1 - Audit/Log Records
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance
with policy
Audit/log records are not determined, documented, implemented, and reviewed in accordance
with policy.
4.6.2 - Removable Media
PR.PT-2: Removable media is protected and its use restricted according to policy
Removable media is not protected and its use restricted according to policy
4.6.3 - Principle of Least Functionality
PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only
essential capabilities
The principle of least functionality is not incorporated by configuring systems to provide only
essential capabilities.
4.6.4 - Communication and Control Networks
PR.PT-4: Communications and control networks are protected
Communications and control networks are not protected.

NIST ASSESSMENT
PR.PT-5: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience
requirements in normal and adverse situations
Mechanisms (e.g., failsafe, load balancing, hot swap) are not implemented to achieve resilience
requirements in normal and adverse situations.

NIST ASSESSMENT
5 - Detect (DE)
5.1 - Anomalies and Events (DE.AE)

Anomalies and Events (DE.AE): Anomalous activity is detected and the potential impact of events is
understood.
DE.AE-1: A baseline of network operations and expected data flows for users and systems is
established and managed
A baseline of network operations and expected data flows for users and systems is established and
managed using the following tools:
● Visio
5.1.2 - Event Analysis
DE.AE-2: Detected events are analyzed to understand attack targets and methods
Detected events are not analyzed to understand attack targets and methods.
5.1.3 - Event Correlation
DE.AE-3: Event data are collected and correlated from multiple sources and sensors
Event data are not collected and correlated from multiple sources and sensors.
5.1.4 - Event Impact
DE.AE-4: Impact of events is determined
Impact of events is not determined.

NIST ASSESSMENT
5.1.5 - Incident Alert Thresholds
DE.AE-5: Incident alert thresholds are established
Incident alert thresholds are not established.
5.2 - Security Continuous Monitoring (DE.CM)

Security Continuous Monitoring (DE.CM): The information system and assets are monitored to
identify cybersecurity events and verify the effectiveness of protective measures.
5.2.1 - Network Monitoring
DE.CM-1: The network is monitored to detect potential cybersecurity events
The network is monitored to detect potential cybersecurity events using the following tools:
● Cyber Hawk
5.2.2 - Physical Environment
DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
CCTV implemented and monitored throughout the organization's physical office location.
5.2.3 - Personnel Activity
DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
Network user access logs are reviewed on a weekly basis to identify network access anomalies. When
such anomalies are identified, the internal security team investigates the anomaly and identifies the
anomaly's root cause. Then corrective action is taken.
5.2.4 - Malicious Code Detection
DE.CM-4: Malicious code is detected
As part of this assessment process, an automated scan of the various end points was performed to
ensure anti-malware applications are in place. Below is a summary of the findings. See the Antivirus
Verification Worksheet for detailed findings.

NIST ASSESSMENT
Automated detection was unable to be completed on 2 computers. The computers should be

investigated to assure proper anti-virus detection.
● EXCHSVR01
● SQLSVR01
5.2.5 - Unauthorized Mobile Code
DE.CM-5: Unauthorized mobile code is detected
Mobile device usage to access network resources is not authorized or enabled.
5.2.6 - External Service Provider Activity
DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events
External service providers are contractually required to report all cyber security events to the
organization.
5.2.7 - Unauthorized Personnel, Connections, Devices, and Software
DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
Network user access logs are reviewed on a weekly basis to identify network access anomalies. When
such anomalies are identified, the internal security team investigates the anomaly and identifies the
anomaly's root cause. Then corrective action is taken.
5.2.8 - Vulnerability Scans
DE.CM-8: Vulnerability scans are performed
As part of the assessment process, vulnerabilities are scanned for and detected within the network.
Issues are noted in the Risk Treatment Plan.
Additionally, an external vulnerability scan was performed. The results are summarized below and in the
NIST External Vulnerability Scan Detail by Issue Report.
The following external

Host Analysis Open High Med Low False CVSS
Ports
97.72.92.49 (97-72-92-49- Medium risk 3 0 3 0 0 5.0
static.atl.earthlinkbusiness.net)
Total: 1 Medium risk 3 0 3 0 0 5.0
See the NIST External Vulnerability Scan Detail by Issue Report for complete results.

NIST ASSESSMENT
The following external vulnerability issues were detected.
97.72.92.49 (97-72-92-49-static.atl.earthlinkbusiness.net)
Medium (CVSS: 5)
NVT: OpenSSH auth2-gss.c User Enumeration Vulnerability (Windows) (OID: 22
1.3.6.1.4.1.25623.1.0.813887)
This host is installed with openssh and is prone to user enumeration vulnerability.
Medium (CVSS: 5)
NVT: OpenSSH sftp-server Security Bypass Vulnerability (Windows) (OID: 22
1.3.6.1.4.1.25623.1.0.812050)
This host is installed with openssh and is prone to security bypass vulnerability.
Medium (CVSS: 5)
NVT: OpenSSH User Enumeration Vulnerability-Aug18 (Windows) (OID: 22
1.3.6.1.4.1.25623.1.0.813863)
This host is installed with openssh and is prone to user enumeration vulnerability.
5.3 - Detection Processes (DE.DP)

Detection Processes (DE.DP): Detection processes and procedures are maintained and tested to
ensure awareness of anomalous events.
5.3.1 - Roles and Responsibilities
DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability
Roles and responsibilities for detection are not well defined to ensure accountability.
5.3.2 - Detection Activity Requirements
DE.DP-2: Detection activities comply with all applicable requirements
Detection activities do not comply with all applicable requirements
5.3.3 - Detection Process Testing

NIST ASSESSMENT
DE.DP-3: Detection processes are tested
As part of the assessment process, detection processes were tested.
Cyber Hawk alerts are reviewed for accuracy and consistency on a monthly basis.
5.3.4 - Communication of Event Detection Information
DE.DP-4: Event detection information is communicated
Event detection information is not communicated.
5.3.5 - Continuous Improvement
DE.DP-5: Detection processes are continuously improved
Detection processes are not continuously improved.

NIST ASSESSMENT
6 - Respond (RS)

Response Planning (RS.RP): Response processes and procedures are executed and maintained, to
ensure response to detected cybersecurity incidents.
6.1.1 - Response Plan
RS.RP-1: Response plan is executed during or after an incident
Our organization does not have a written response plan.
6.2 - Communications (RS.CO)

Communications (RS.CO): Response activities are coordinated with internal and external
stakeholders (e.g. external support from law enforcement agencies).
6.2.1 - Personnel Training
RS.CO-1: Personnel know their roles and order of operations when a response is needed
Our personnel have not been trained to know their roles and order of operations when a response
is needed.
6.2.2 - Incident Reporting
RS.CO-2: Incidents are reported consistent with established criteria
Incidents are not reported consistent with established criteria.
6.2.3 - Information Sharing
RS.CO-3: Information is shared consistent with response plans

NIST ASSESSMENT
Information is not shared consistent with response plans.
6.2.4 - Coordination with Stakeholders
RS.CO-4: Coordination with stakeholders occurs consistent with response plans
Coordination with stakeholders does not occur consistent with response plans.
6.2.5 - Information Sharing with External Stakeholders
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader
cybersecurity situational awareness
Voluntary information sharing does not occur with external stakeholders to achieve broader
cybersecurity situational awareness.
6.3 - Analysis (RS.AN)

Analysis (RS.AN): Analysis is conducted to ensure effective response and support recovery activities.
6.3.1 - Incident Analysis
RS.AN-1: Notifications from detection systems are investigated

RS.AN-2: The impact of the incident is understood
RS.AN-3: Forensics are performed
RS.AN-4: Incidents are categorized consistent with response plans
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to the
organization from internal and external sources (e.g. internal testing, security bulletins, or security
researchers)
As part of the assessment process, we reviewed our organization's response plan and recent response
plan executions to ensure proper analysis has been or will be performed.
 RS.AN-1: Notifications from detection systems are investigated

 RS.AN-2: The impact of the incident is understood
 RS.AN-3: Forensics are performed

NIST ASSESSMENT
 RS.AN-4: Incidents are categorized consistent with response plans

 RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to
the organization from internal and external sources (e.g. internal testing, security bulletins, or
security researchers)
6.4 - Mitigation (RS.MI)

Mitigation (RS.MI): Activities are performed to prevent expansion of an event, mitigate its effects, and
resolve the incident.
6.4.1 - Incident Mitigation
RS.MI-1: Incidents are contained

RS.MI-2: Incidents are mitigated
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks
As part of the assessment process, we reviewed our organization's response plan and recent response
plan executions to ensure proper mitigation has been or will be performed.
 RS.MI-1: Incidents are contained

 RS.MI-2: Incidents are mitigated
 RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks
6.5 - Improvements (RS.IM)

Improvements (RS.IM): Organizational response activities are improved by incorporating lessons
learned from current and previous detection/response activities.
RS.IM-1: Response plans incorporate lessons learned
Response plans do not incorporate lessons learned.
6.5.2 - Response Strategy Updates

NIST ASSESSMENT
RS.IM-2: Response strategies are updated
Our response strategies have not been reviewed and updated within the past 90 days.

NIST ASSESSMENT
7 - Recover (RC)

Recovery Planning (RC.RP): Recovery processes and procedures are executed and maintained to
ensure restoration of systems or assets affected by cybersecurity incidents.
7.1.1 - Recovery Plan
RC.RP-1: Recovery plan is executed during or after a cybersecurity incident
Our organization has a written recovery plan.
See:
● RC.CP - Recovery Plan.docx
The recovery plan has not been or may not be executed during or after an incident.
7.2 - Improvements (RC.IM)

Improvements (RC.IM): Recovery planning and processes are improved by incorporating lessons
learned into future activities.
RC.IM-1: Recovery plans incorporate lessons learned
Recovery plans do not incorporate lessons learned.
7.2.2 - Recovery Strategy Updates
RC.IM-2: Recovery strategies are updated
Our recovery strategies have not been reviewed and updated within the past 90 days.

NIST ASSESSMENT
7.3 - Communications (RC.CO)

Communications (RC.CO): Restoration activities are coordinated with internal and external parties
(e.g. coordinating centers, Internet Service Providers, owners of attacking systems, victims, other
CSIRTs, and vendors).
7.3.1 - Public Relations
RC.CO-1: Public relations are managed
As part of the recovery strategy, public relations are considered and managed.
See:
● RC.CO - Public Relations Management Plan.docx
7.3.2 - Reputation Repair
RC.CO-2: Reputation is repaired after an incident
As part of the recovery strategy, a program is not in place to repair reputation both internally and
externally.
7.3.3 - Recovery Activity Communication
RC.CO-3: Recovery activities are communicated to internal and external stakeholders as well as
executive and management teams
Recovery activities are not communicated to internal and external stakeholders as well as
executive and management teams.

Evidence of NIST Compliance

Uploaded by

Copyright:

Available Formats

Evidence of NIST Compliance

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Evidence of NIST Compliance

Uploaded by

Copyright:

Available Formats

NIST

CONFIDENTIALITY NOTE: The information contained in this report document

PROPRIETARY & CONFIDENTIAL Page 2 of 42

3.6.5 - Response and recovery with Suppliers and Third-Party Partners

PROPRIETARY & CONFIDENTIAL Page 3 of 42

4.4.8 - Protection Process Effectiveness

PROPRIETARY & CONFIDENTIAL Page 4 of 42

5.3.3 - Detection Process Testing

PROPRIETARY & CONFIDENTIAL Page 5 of 42

* The issue is noted in the Risk Treatment Plan.

Contact Information for Security Officer:

PROPRIETARY & CONFIDENTIAL Page 6 of 42

PROPRIETARY & CONFIDENTIAL Page 7 of 42

3.1 - Asset Management (ID.AM)

3.1.1 - Physical devices and system

3.1.2 - Software platforms and applications

3.1.3 - Organization communication and data flows

ID.AM-3: Organizational communication and data flows are mapped

Organizational communication and data flows are not mapped.

The issue is noted in the Risk Treatment Plan.

3.1.4 - External information systems

ID.AM-4: External information systems are catalogued

The following information systems were catalogued as a part of this assessment:

Name Description Purpose Business Owner Criticality

PROPRIETARY & CONFIDENTIAL Page 8 of 42

3.1.5 - Resource prioritization

3.1.6 - Cybersecurity roles and responsibilities

The issue is noted in the Risk Treatment Plan.

3.2 - Business Environment (ID.BE)

3.2.1 - Role in Supply Chain

The issue is noted in the Risk Treatment Plan.

3.2.2 - Role in Critical Infrastructure and Industry Sector

The issue is noted in the Risk Treatment Plan.

PROPRIETARY & CONFIDENTIAL Page 9 of 42

3.2.3 - Priorities for Organizational Mission, Objectives, and Activities

The issue is noted in the Risk Treatment Plan.

3.2.4 - Delivery of Critical Services

The issue is noted in the Risk Treatment Plan.

3.2.5 - Resilience Requirements

The issue is noted in the Risk Treatment Plan.

3.3 - Governance (ID.GV)

3.3.1 - Organizational Cybersecurity Policy

ID.GV-1: Organizational cybersecurity policy is established and communicated

The issue is noted in the Risk Treatment Plan.

3.3.2 - Cybersecurity Roles and Responsibilities

PROPRIETARY & CONFIDENTIAL Page 10 of 42

The issue is noted in the Risk Treatment Plan.

3.3.3 - Legal and Regulatory Requirements Regarding Cybersecurity

The issue is noted in the Risk Treatment Plan.

3.3.4 - Addressing Cybersecurity Risks

ID.GV-4: Governance and risk management processes address cybersecurity risks

3.4 - Risk Assessment (ID.RA)

3.4.1 - Asset Vulnerabilities

ID.RA-1: Asset vulnerabilities are identified and documented

Risks are noted in the Risk Treatment Plan.

3.4.2 - Cyber Threat Intelligence

PROPRIETARY & CONFIDENTIAL Page 11 of 42

3.4.3 - Risk Assessment

● NIST Risk Analysis