Summary CSF Scores

3.3

3.0 3.0
2.8
2.7 2
2.3 2.3
2.2 2.2 2.2
2.0 2.0
1.8

1.3

0.8

0.3

Identify Protect Detect Recover Respond

Maturity 2.0 2.2 2.2 2.0 2.2
Target 3.0 2.3 3.0 2.7 2.6

Il grafico non è disponibile in questa versione di Excel.

Se si modifica questa forma o si salva la cartella di lavoro in un formato di file

diverso, il grafico verrà danneggiato in modo permanente.
 NIST CSF Scores Breakdow
Current Maturity Target

Asset Mgmt
Bus. Environment
Improvements Governance
2.7 2.6 4.0
Mitigation Ris
2.2
Analysis

Communications
2.0

Response Planning

0.0
ecover Respond
2.0 2.2
2.7 2.6
Communications

Improvements

mato di file
Recovery Planning

Ma

Detection Processes Protective T

Continuous Monitoring
Anomalies and Events
res Breakdown
urity Target

Mgmt
Bus. Environment
Governance
4.0
Risk Assessment

Risk Mgmt. Strategy

Supply Chain RM
2.0

0.0 Identity Mgt

Awareness and Training

Data Security

Info Protection

Maintence

Protective Tech

nd Events
Asset Management (ID.AM)
ID.AM-1: Physical devices and systems within the organization are inventoried
ID.AM-2: Software platforms and applications within the organization are inventoried
ID.AM-3: Organizational communication and data flows are mapped
ID.AM-4: External information systems are catalogued
ID.AM-5: Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their
ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholder
Business Environment (ID.BE)
ID.BE-1: The organization’s role in the supply chain is identified and communicated
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and com
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communic
ID.BE-4: Dependencies and critical functions for delivery of critical services are established
ID.BE-5: Resilience requirements to support delivery of critical services are established for all operati
operations)
Governance (ID.GV)
ID.GV-1: Organizational information security policy is established
ID.GV-2: Information security roles & responsibilities are coordinated and aligned with internal roles a
ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liber
ID.GV-4: Governance and risk management processes address cybersecurity risks
Risk Assessment (ID.RA)
ID.RA-1: Asset vulnerabilities are identified and documented
ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources
ID.RA-3: Threats, both internal and external, are identified and documented
ID.RA-4: Potential business impacts and likelihoods are identified
ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
ID.RA-6: Risk responses are identified and prioritized
Risk Management Strategy (ID.RA)
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational sta
ID.RM-2: Organizational risk tolerance is determined and clearly expressed
ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastruc
Supply Chain Management (ID.SC)
ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, manag
ID.SC-2: Identify, prioritize and assess suppliers and third-party partners of information systems, com
process
ID.SC-3: Suppliers and 3rd-party partners are required by contract to implement appropriate measur
program or Cyber Supply Chain Risk Management Plan
ID.SC-4: Suppliers and 3rd-party partners are routinely assessed to confirm that they are meeting th
results, or other equivalent evaluations of suppliers/providers are conducted
ID.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party pr
Current Maturity Target Maturity Summary Average
1
2
2
2
3 1.7
2
1
Current Maturity Target Maturity Summary Average
0
2
3 3 1.4
2
0
Current Maturity Target Maturity Summary Average
3
4
2
3 2.5
1
Current Maturity Target Maturity Summary Average
3
3
3
3
3 2.3
1
1
Current Maturity Target Maturity Summary Average
1
1 3 1.0
1
Current Maturity Target Maturity Summary Average
3
3

3
3 3.0
3

Total Average 2.0

Target Average 3.0
Asset Management (PR.AC)
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorize
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least p
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
PR.AC-6: Identities are proofed and bound to credentials, and asserted in interactions when appropri
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) comme
and privacy risks and other organizational risks)
Awareness and Training (PR.AT)
PR.AT-1: All users are informed and trained
PR.AT-2: Privileged users understand roles and responsibilities
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles and respon
PR.AT-4: Senior executives understand roles and responsibilities
PR.AT-5: Physical and information security personnel understand roles and responsibilities
Data Security (PR.DS)
PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is maintained
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integ
PR.DS-7: The development and testing environment(s) are separate from the production environmen
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
Information Protection (PR.IT)
PR.IP-1: A baseline configuration of information technology/industrial control systems is created and
concept of least functionality)
PR.IP-2: A System Development Life Cycle to manage systems is implemented
PR.IP-3: Configuration change control processes are in place
PR.IP-4: Backups of information are conducted, maintained, and tested periodically
PR.IP-5: Policy and regulations regarding the physical operating environment for organizational asse
PR.IP-6: Data is destroyed according to policy
PR.IP-7: Protection processes are continuously improved
PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties
PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident R
PR.IP-10: Response and recovery plans are tested
PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel scr
PR.IP-12: A vulnerability management plan is developed and implemented
Maintenance (PR.MA)
PR.MA-1: Maintenance and repair of organizational assets are performed and logged in a timely man
PR.MA-2: Remote maintenance of organizational assets are approved, logged, and performed in a m
Protective Technology (PR.PT)
PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance
PR.PT-2: Removable media is protected and its use restricted according to policy
PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only es
PR.PT-4: Communications and control networks are protected
PR.PT-5: Systems operate in pre-defined functional states to achieve availability (e.g. under duress,
Current Maturity Target Maturity Summary Average
2
2
2
2
2
2 2.1
3

Current Maturity Target Maturity Summary Average

2
2
2 3 2.0
2
2
Current Maturity Target Maturity Summary Average
2
2
2
3
5
2 2.5
2
2
2
Current Maturity Target Maturity Summary Average

2
3
3
2
3 2 2.7
2
3
2
4
4
2
Current Maturity Target Maturity Summary Average
2
2
2 2.0
Current Maturity Target Maturity Summary Average
2
2
2 3 2.0
 3 2.0
2
2

Total Average 2.2

Target Average 2.3
Anomalies and Events (DE.AE)
PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorize
PR.AC-2: Physical access to assets is managed and protected
PR.AC-3: Remote access is managed
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least p
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate
PR.AC-6: Identities are proofed and bound to credentials, and asserted in interactions when appropri
PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) comme
and privacy risks and other organizational risks)
Continous Monitoring (DE.CE)
PR.AT-1: All users are informed and trained
PR.AT-2: Privileged users understand roles and responsibilities
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles and respon
PR.AT-4: Senior executives understand roles and responsibilities
PR.AT-5: Physical and information security personnel understand roles and responsibilities
Detection Process (PR.DS)
PR.DS-1: Data-at-rest is protected
PR.DS-2: Data-in-transit is protected
PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition
PR.DS-4: Adequate capacity to ensure availability is maintained
PR.DS-5: Protections against data leaks are implemented
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integ
PR.DS-7: The development and testing environment(s) are separate from the production environmen
PR.DS-8: Integrity checking mechanisms are used to verify hardware integrity
Current Maturity Target Maturity Summary Average
2
2
2
2
2
3 2.1
3

Current Maturity Target Maturity Summary Average

2
2
2 3 2.0
2
2
Current Maturity Target Maturity Summary Average
2
2
2
3
5
3 2.5
2
2
2

Total Average 2.2

Target Average 3.0
Recovery Planning (RC.RP)

RC.RP-1: Recovery plan is executed during or after a cybersecurity incident

Improvements (RC.IM)
RC.IM-1: Recovery plans incorporate lessons learned
RC.IM-2: Recovery strategies are updated
Communications (RC.CO)
RC.CO-1: Public relations are managed
RC.CO-2: Reputation after an event is repaired
RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and managem
Current Maturity Target Maturity Summary Average

2 2 2.0
Current Maturity Target Maturity Summary Average
2
2
3 2.0
Current Maturity Target Maturity Summary Average
2
2 3 2.0
2

Total Average 2.0

Target Average 2.7
Response Planning (RS.RP)
RS.RP-1: Response plan is executed during or after an incident
Communications (RS.CO)
RS.CO-1: Personnel know their roles and order of operations when a response is needed
RS.CO-2: Incidents are reported consistent with established criteria
RS.CO-3: Information is shared consistent with response plans
RS.CO-4: Coordination with stakeholders occurs consistent with response plans
RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cyberse
Analysis (RS.AN)
RS.AN-1: Notifications from detection systems are investigated
RS.AN-2: The impact of the incident is understood
RS.AN-3: Forensics are performed
RS.AN-4: Incidents are categorized consistent with response plans
RS.AN-5: Processes are established to receive, analyze and respond to vulnerabilities disclosed to th
testing, security bulletins, or security researchers)
Mitigation (RS.MI)
RS.MI-1: Incidents are contained
RS.MI-2: Incidents are mitigated
RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks
Improvements (RS.IM)
RS.IM-1: Response plans incorporate lessons learned
RS.IM-2: Response strategies are updated
Current Maturity Target Maturity Summary Average
2 3 2.0
Current Maturity Target Maturity Summary Average
2
2
2 3 2.0
2
2
Current Maturity Target Maturity Summary Average
2
2
2
3
3 2.8
5

Current Maturity Target Maturity Summary Average

2
2 2 2.3
3
Current Maturity Target Maturity Summary Average
2
2
2 2.0
Total Average 2.2
Target Average 2.6
Do not change this sheet - it is used to calculate the Summary Graphs.

Maturity Target
Identify 2.0 3.0
Protect 2.2 2.3
Detect 2.2 3.0
Recover 2.0 2.7
Respond 2.2 2.6
ary Graphs.

Current MaturityTarget

Asset Mgmt 1.7 3.0

Bus. Environment 1.4 3.0
Governance 2.5 3.0
Risk Assessment 2.3 3.0
Risk Mgmt. Strategy 1.0 3.0
Supply Chain RM 3.0 3.0

Identity Mgt 2.1 2.0

Awareness and Training 2.0 3.0
Data Security 2.5 2.0
Info Protection 2.7 2.0
Maintence 2.0 2.0
Protective Tech 2.0 3.0

Anomalies and Events 2.1 3.0

Continuous Monitoring 2.0 3.0
Detection Processes 2.5 3.0

Recovery Planning 2.0 2.0

Improvements 2.0 3.0
Communications 2.0 3.0

Response Planning 2.0 3.0

Communications 2.0 3.0
Analysis 2.8 3.0
Mitigation 2.3 2.0
Improvements 2.0 2.0