Category Subcategory

Organizational Context (GV.OC): The GV.OC-01: The organizational mission is

circumstances — mission, stakeholder understood and informs cybersecurity
expectations, dependencies, and risk management
legal, regulatory, and contractual
requirements — surrounding the
organization’s cybersecurity risk
management decisions are GV.OC-02: Internal and external
understood stakeholders are understood, and their
needs and expectations regarding
cybersecurity risk management are
understood and considered

GV.OC-03: Legal, regulatory, and

contractual requirements regarding
cybersecurity — including privacy and
civil liberties obligations — are
understood and managed

GV.OC-04: Critical objectives,

capabilities, and services that
stakeholders depend on or expect from
the organization are understood and
communicated

GV.OC-05: Outcomes, capabilities, and

services that the organization depends
on are understood and communicated

Risk Management Strategy (GV.RM):

The organization’s priorities, GV.RM-01: Risk management objectives
constraints, risk tolerance and are established and agreed to by
appetite statements, and organizational stakeholders
assumptions are established,
communicated, and used to support
operational risk decisions
GV.RM-02: Risk appetite and risk
tolerance statements are established,
communicated, and maintained

GV.RM-03: Cybersecurity risk

management activities and outcomes
are included in enterprise risk
management processes

GV.RM-04: Strategic direction that

describes appropriate risk response
options is established and
communicated
 GV.RM-05: Lines of communication
across the organization are established
for cybersecurity risks, including risks
from suppliers and other third parties

GV.RM-06: A standardized method for

calculating, documenting, categorizing,
and prioritizing cybersecurity risks is
established and communicated

GV.RM-07: Strategic opportunities (i.e.,

positive risks) are characterized and are
included in organizational cybersecurity
risk discussions

Roles, Responsibilities, and

Authorities (GV.RR): Cybersecurity GV.RR-01: Organizational leadership is
roles, responsibilities, and authorities responsible and accountable for
to foster accountability, performance cybersecurity risk and fosters a culture
assessment, and continuous that is risk-aware, ethical, and
improvement are established and continually improving
communicated
GV.RR-02: Roles, responsibilities, and
authorities related to cybersecurity risk
management are established,
communicated, understood, and
enforced

GV.RR-03: Adequate resources are

allocated commensurate with the
cybersecurity risk strategy, roles,
responsibilities, and policies

GV.RR-04: Cybersecurity is included in

human resources practices
Policy (GV.PO): Organizational
cybersecurity policy is established, GV.PO-01: Policy for managing
communicated, and enforced cybersecurity risks is established based
on organizational context, cybersecurity
strategy, and priorities and is
communicated and enforced

GV.PO-02: Policy for managing

cybersecurity risks is reviewed, updated,
communicated, and enforced to reflect
changes in requirements, threats,
technology, and organizational mission
 Oversight (GV.OV): Results of
organization-wide cybersecurity risk GV.OV-01: Cybersecurity risk
management activities and management strategy outcomes are
performance are used to inform, reviewed to inform and adjust strategy
improve, and adjust the risk and direction
management strategy
GV.OV-02: The cybersecurity risk
management strategy is reviewed and
adjusted to ensure coverage of
organizational requirements and risks

GV.OV-03: Organizational cybersecurity

risk management performance is
evaluated and reviewed for adjustments
needed
Cybersecurity Supply Chain Risk
Management (GV.SC): Cyber supply GV.SC-01: A cybersecurity supply chain
chain risk management processes are risk management program, strategy,
identified, established, managed, objectives, policies, and processes are
monitored, and improved by established and agreed to by
organizational stakeholders organizational stakeholders

GV.SC-02: Cybersecurity roles and

responsibilities for suppliers, customers,
and partners are established,
communicated, and coordinated
internally and externally

GV.SC-03: Cybersecurity supply chain

risk management is integrated into
cybersecurity and enterprise risk
management, risk assessment, and
improvement processes

GV.SC-04: Suppliers are known and

prioritized by criticality

GV.SC-05: Requirements to address

cybersecurity risks in supply chains are
established, prioritized, and integrated
into contracts and other types of
agreements with suppliers and other
relevant third parties

GV.SC-06: Planning and due diligence are

performed to reduce risks before
entering into formal supplier or other
third-party relationships
GV.SC-07: The risks posed by a supplier,
their products and services, and other
third parties are understood, recorded,
prioritized, assessed, responded to, and
monitored over the course of the
relationship

GV.SC-08: Relevant suppliers and other

third parties are included in incident
planning, response, and recovery
activities

GV.SC-09: Supply chain security practices

are integrated into cybersecurity and
enterprise risk management programs,
and their performance is monitored
throughout the technology product and
service life cycle

GV.SC-10: Cybersecurity supply chain

risk management plans include
provisions for activities that occur after
the conclusion of a partnership or
service agreement
 Description Result
The organizational mission is understood
and informs cybersecurity risk
management

Internal and external stakeholders are

understood, and their needs and
expectations regarding cybersecurity risk
management are understood and
considered

Legal, regulatory, and contractual

requirements regarding cybersecurity -
including privacy and civil liberties
obligations - are understood and
managed

Critical objectives, capabilities, and

services that stakeholders depend on or
expect from the organization are
understood and communicated

Outcomes, capabilities, and services that

the organization depends on are
understood and communicated

Risk management objectives are

established and agreed to by
organizational stakeholders

Risk appetite and risk tolerance

statements are established,
communicated, and maintained

Cybersecurity risk management activities

and outcomes are included in enterprise
risk management processes

Strategic direction that describes

appropriate risk response options is
established and communicated
Lines of communication across the
organization are established for
cybersecurity risks, including risks from
suppliers and other third parties

A standardized method for calculating,

documenting, categorizing, and
prioritizing cybersecurity risks is
established and communicated

Strategic opportunities (i.e., positive

risks) are characterized and are included
in organizational cybersecurity risk
discussions

Organizational leadership is responsible

and accountable for cybersecurity risk
and fosters a culture that is risk-aware,
ethical, and continually improving

Roles, responsibilities, and authorities

related to cybersecurity risk
management are established,
communicated, understood, and
enforced

Adequate resources are allocated

commensurate with the cybersecurity
risk strategy, roles, responsibilities, and
policies

Cybersecurity is included in human

resources practices

Policy for managing cybersecurity risks is

established based on organizational
context, cybersecurity strategy, and
priorities and is communicated and
enforced

Policy for managing cybersecurity risks is

reviewed, updated, communicated, and
enforced to reflect changes in
requirements, threats, technology, and
organizational mission
Cybersecurity risk management strategy
outcomes are reviewed to inform and
adjust strategy and direction

The cybersecurity risk management

strategy is reviewed and adjusted to
ensure coverage of organizational
requirements and risks

Organizational cybersecurity risk

management performance is evaluated
and reviewed for adjustments needed

A cybersecurity supply chain risk

management program, strategy,
objectives, policies, and processes are
established and agreed to by
organizational stakeholders

Cybersecurity roles and responsibilities

for suppliers, customers, and partners
are established, communicated, and
coordinated internally and externally

Cybersecurity supply chain risk

management is integrated into
cybersecurity and enterprise risk
management, risk assessment, and
improvement processes

Suppliers are known and prioritized by

criticality

Requirements to address cybersecurity

risks in supply chains are established,
prioritized, and integrated into contracts
and other types of agreements with
suppliers and other relevant third parties

Planning and due diligence are

performed to reduce risks before
entering into formal supplier or other
third-party relationships
The risks posed by a supplier, their
products and services, and other third
parties are understood, recorded,
prioritized, assessed, responded to, and
monitored over the course of the
relationship

Relevant suppliers and other third

parties are included in incident planning,
response, and recovery activities

Supply chain security practices are

integrated into cybersecurity and
enterprise risk management programs,
and their performance is monitored
throughout the technology product and
service life cycle

Cybersecurity supply chain risk

management plans include provisions for
activities that occur after the conclusion
of a partnership or service agreement
Nivel de Madurez Valor Target

No existente 0 3

No existente 0 3

No existente 0 3

No existente 0 2

No existente 0 3

No existente 0 2

No existente 0 2

No existente 0 2

No existente 0 2
No existente 0 2

No existente 0 3

No existente 0 3

No existente 0 3

No existente 0 3

No existente 0 2

No existente 0 3

No existente 0 3

No existente 0 3
No existente 0 2

No existente 0 3

No existente 0 3

No existente 0 3

No existente 0 2

No existente 0 2

No existente 0 2

No existente 0 2

No existente 0 2
No existente 0 2

No existente 0 3

No existente 0 3

No existente 0 3
 Recomendaciones
Personas Procesos
Tecnología
NIST Cybersecurity Framework - Identify ISACA IS Audit/Assurance Program

Recomendaciones

Category Subcategory Description Result Nivel de Madurez Valor Target Personas Procesos Tecnología
Asset Management (ID.AM): Assets
(e.g., data, hardware, software,
systems, facilities, services, people) ID.AM-01: Inventories of hardware
Inventories of hardware managed by the
that enable the organization to managed by the organization are
organization are maintained No existente 0 3
achieve business purposes are maintained
identified and managed consistent
with their relative importance to
organizational objectives and the ID.AM-02: Inventories of software, Inventories of software, services, and
organization’s risk strategy services, and systems managed by the systems managed by the organization No existente 0 3
organization are maintained are maintained

ID.AM-03: Representations of the

Representations of the organization's
organization’s authorized network
authorized network communication and
communication and internal and
internal and external network data flows No existente 0 3
external network data flows are
are maintained
maintained

ID.AM-04: Inventories of services Inventories of services provided by

provided by suppliers are maintained suppliers are maintained No existente 0 2

ID.AM-05: Assets are prioritized based Assets are prioritized based on

on classification, criticality, resources, classification, criticality, resources, and No existente 0 3
and impact on the mission impact on the mission

ID.AM-07: Inventories of data and Inventories of data and corresponding

corresponding metadata for designated metadata for designated data types are No existente 0 3
data types are maintained maintained

ID.AM-08: Systems, hardware, software, Systems, hardware, software, services,

services, and data are managed and data are managed throughout their No existente 0 3
throughout their life cycles life cycles

Risk Assessment (ID.RA): The

cybersecurity risk to the organization,
assets, and individuals is understood ID.RA-01: Vulnerabilities in assets are Vulnerabilities in assets are identified,
by the organization identified, validated, and recorded validated, and recorded No existente 0 2

ID.RA-02: Cyber threat intelligence is

Cyber threat intelligence is received from
received from information sharing
information sharing forums and sources No existente 0 2
forums and sources

ID.RA-03: Internal and external threats

Internal and external threats to the
to the organization are identified and
organization are identified and recorded No existente 0 2
recorded

ID.RA-04: Potential impacts and

Potential impacts and likelihoods of
likelihoods of threats exploiting
vulnerabilities are identified and
threats exploiting vulnerabilities are No existente 0 2
identified and recorded
recorded

ID.RA-05: Threats, vulnerabilities, Threats, vulnerabilities, likelihoods, and

likelihoods, and impacts are used to impacts are used to understand inherent
understand inherent risk and inform risk risk and inform risk response No existente 0 2
response prioritization prioritization

ID.RA-06: Risk responses are chosen,

Risk responses are chosen, prioritized,
prioritized, planned, tracked, and
planned, tracked, and communicated No existente 0 2
communicated

ID.RA-07: Changes and exceptions are Changes and exceptions are managed,
managed, assessed for risk impact, assessed for risk impact, recorded, and No existente 0 2
recorded, and tracked tracked

ID.RA-08: Processes for receiving, Processes for receiving, analyzing, and

analyzing, and responding to responding to vulnerability disclosures No existente 0 2
vulnerability disclosures are established are established

ID.RA-09: The authenticity and integrity The authenticity and integrity of

of hardware and software are assessed hardware and software are assessed No existente 0 3
prior to acquisition and use prior to acquisition and use

ID.RA-10: Critical suppliers are assessed Critical suppliers are assessed prior to
prior to acquisition acquisition No existente 0 3

Improvement (ID.IM): Improvements

to organizational cybersecurity risk
management processes, procedures ID.IM-01: Improvements are identified Improvements are identified from
No existente 0 3
and activities are identified across all from evaluations evaluations
CSF Functions

Copyright 2016 ISACA Page 21 of 32

NIST Cybersecurity Framework - Identify ISACA IS Audit/Assurance Program
Improvement (ID.IM): Improvements
to organizational cybersecurity risk
management processes, procedures
and activities Category
are identified across all Subcategory Description Result Nivel de Madurez Valor Target Personas Procesos Tecnología
CSF Functions

ID.IM-02: Improvements are identified Improvements are identified from

from security tests and exercises, security tests and exercises, including
including those done in coordination those done in coordination with No existente 0 3
with suppliers and relevant third parties suppliers and relevant third parties

ID.IM-03: Improvements are identified Improvements are identified from

from execution of operational processes, execution of operational processes, No existente 0 2
procedures, and activities procedures, and activities

ID.IM-04: Incident response plans and Incident response plans and other
other cybersecurity plans that affect cybersecurity plans that affect
operations are established, operations are established, No existente 0 3
communicated, maintained, and communicated, maintained, and
improved improved

Copyright 2016 ISACA Page 22 of 32

NIST Cybersecurity Framework - Protect ISACA IS Audit/Assurance Program

Recomendaciones
Nivel de
Category Subcategory Description Result Valor Target Personas Procesos Tecnología
Madurez
Identity Management,
Authentication, and PR.AA-01: Identities and credentials Identities and credentials for
Access Control (PR.AA): for authorized users, services, and authorized users, services, and
Access to physical and hardware are managed by the hardware are managed by the No existente 0 3
logical assets is limited to organization organization
authorized users, services,
and hardware and
managed commensurate
with the assessed risk of
unauthorized access PR.AA-02: Identities are proofed and Identities are proofed and bound to
bound to credentials based on the credentials based on the context of No existente 0 2
context of interactions interactions

PR.AA-03: Users, services, and Users, services, and hardware are

hardware are authenticated authenticated No existente 0 3

PR.AA-04: Identity assertions are Identity assertions are protected,

protected, conveyed, and verified conveyed, and verified No existente 0 3

PR.AA-05: Access permissions,

Access permissions, entitlements, and
entitlements, and authorizations are
authorizations are defined in a policy,
defined in a policy, managed,
enforced, and reviewed, and
managed, enforced, and reviewed, No existente 0 3
and incorporate the principles of least
incorporate the principles of least
privilege and separation of duties
privilege and separation of duties

PR.AA-06: Physical access to assets is Physical access to assets is managed,

managed, monitored, and enforced monitored, and enforced No existente 0 2
commensurate with risk commensurate with risk

Awareness and Training

(PR.AT): The organization’s PR.AT-01: Personnel are provided Personnel are provided with
personnel are provided with awareness and training so that awareness and training so that they
with cybersecurity they possess the knowledge and skills possess the knowledge and skills to No existente 0 3
awareness and training so to perform general tasks with perform general tasks with
that they can perform cybersecurity risks in mind cybersecurity risks in mind
their cybersecurity-related
tasks

PR.AT-02: Individuals in specialized

Individuals in specialized roles are
roles are provided with awareness
provided with awareness and training
and training so that they possess the
knowledge and skills to perform
so that they possess the knowledge No existente 0 3
and skills to perform relevant tasks
relevant tasks with cybersecurity risks
with cybersecurity risks in mind
in mind

Data Security (PR.DS): PR.DS-01: The confidentiality, The confidentiality, integrity, and
Data are managed integrity, and availability of data-at- availability of data-at-rest are No existente 0 2
consistent with the rest are protected protected
organization’s risk strategy
to protect the PR.DS-02: The confidentiality, The confidentiality, integrity, and
confidentiality, integrity,
and availability of
integrity, and availability of data-in- availability of data-in-transit are No existente 0 2
transit are protected protected
information
PR.DS-10: The confidentiality, The confidentiality, integrity, and
integrity, and availability of data-in- availability of data-in-use are No existente 0 3
use are protected protected

PR.DS-11: Backups of data are

Backups of data are created,
created, protected, maintained, and
protected, maintained, and tested No existente 0 3
tested
Platform Security (PR.PS):
The hardware, software PR.PS-01: Configuration management Configuration management practices
No existente 0 3
(e.g., firmware, operating practices are established and applied are established and applied
systems, applications), and
services of physical and
virtual platforms are PR.PS-02: Software is maintained,
managed consistent with replaced, and removed Software is maintained, replaced, and
removed commensurate with risk No existente 0 3
the organization’s risk commensurate with risk
strategy to protect their
confidentiality, integrity,
and availability
PR.PS-03: Hardware is maintained,
Hardware is maintained, replaced,
replaced, and removed
and removed commensurate with risk No existente 0 3
commensurate with risk

PR.PS-04: Log records are generated

Log records are generated and made
and made available for continuous
available for continuous monitoring No existente 0 3
monitoring

PR.PS-05: Installation and execution

Installation and execution of
of unauthorized software are
unauthorized software are prevented No existente 0 3 ip5 no aplica
prevented

PR.PS-06: Secure software Secure software development

development practices are practices are integrated, and their
integrated, and their performance is performance is monitored No existente 0 2
monitored throughout the software throughout the software
development life cycle development life cycle

Technology Infrastructure
Resilience (PR.IR): Security PR.IR-01: Networks and Networks and environments are
architectures are managed environments are protected from protected from unauthorized logical No existente 0 3
with the organization’s risk unauthorized logical access and usage access and usage
strategy to protect asset
confidentiality, integrity,
and availability, and PR.IR-02: The organization’s The organization's technology assets
organizational resilience technology assets are protected from are protected from environmental No existente 0 3
environmental threats threats

PR.IR-03: Mechanisms are

Mechanisms are implemented to
implemented to achieve resilience
requirements in normal and adverse
achieve resilience requirements in No existente 0 3
normal and adverse situations
situations

PR.IR-04: Adequate resource capacity Adequate resource capacity to ensure

to ensure availability is maintained availability is maintained No existente 0 2

Copyright 2016 ISACA Page 23 of 32

NIST Cybersecurity Framework - Detect ISACA IS Audit/Assurance Program

Recomendaciones
Nivel de
Category Subcategory Description Result Valor Target Personas Procesos Tecnología
Madurez
Continuous Monitoring
(DE.CM): Assets are DE.CM-01: Networks and network
monitored to find Networks and network services are monitored to
services are monitored to find
find potentially adverse events No existente 0 2
anomalies, indicators of potentially adverse events
compromise, and other
potentially adverse events
DE.CM-02: The physical
The physical environment is monitored to find
environment is monitored to find
potentially adverse events No existente 0 2
potentially adverse events

DE.CM-03: Personnel activity and

Personnel activity and technology usage are
technology usage are monitored
monitored to find potentially adverse events No existente 0 2
to find potentially adverse events

DE.CM-06: External service

provider activities and services are External service provider activities and services are
monitored to find potentially monitored to find potentially adverse events No existente 0 3
adverse events

DE.CM-09: Computing hardware

and software, runtime Computing hardware and software, runtime
environments, and their data are environments, and their data are monitored to find No existente 0 3
monitored to find potentially potentially adverse events
adverse events

Adverse Event Analysis

(DE.AE): Anomalies, DE.AE-02: Potentially adverse
indicators of compromise, Potentially adverse events are analyzed to better
events are analyzed to better
understand associated activities No existente 0 3
and other potentially understand associated activities
adverse events are
analyzed to characterize
the events and detect DE.AE-03: Information is
cybersecurity incidents correlated from multiple sources
Information is correlated from multiple sources No existente 0 1

DE.AE-04: The estimated impact

The estimated impact and scope of adverse events
and scope of adverse events are
are understood No existente 0 3
understood

DE.AE-06: Information on adverse

Information on adverse events is provided to
events is provided to authorized
authorized staff and tools No existente 0 3
staff and tools

DE.AE-07: Cyber threat

intelligence and other contextual Cyber threat intelligence and other contextual
information are integrated into the information are integrated into the analysis No existente 0 3
analysis

DE.AE-08: Incidents are declared

Incidents are declared when adverse events meet
when adverse events meet the
the defined incident criteria No existente 0 3
defined incident criteria

Copyright 2016 ISACA Page 24 of 32

NIST Cybersecurity Framework - Respond ISACA IS Audit/Assurance Program

Recomendaciones
Nivel de
Category Subcategory Description Result Valor Target Personas Procesos Tecnología
Madurez
Incident Management (RS.MA): RS.MA-01: The incident response plan is The incident response plan is executed in
Responses to detected executed in coordination with relevant third coordination with relevant third parties once No existente 0 3
cybersecurity incidents are parties once an incident is declared an incident is declared
managed
RS.MA-02: Incident reports are triaged and
validated
Incident reports are triaged and validated No existente 0 3

RS.MA-03: Incidents are categorized and

prioritized
Incidents are categorized and prioritized No existente 0 3

RS.MA-04: Incidents are escalated or elevated

as needed
Incidents are escalated or elevated as needed No existente 0 3

RS.MA-05: The criteria for initiating incident The criteria for initiating incident recovery are
recovery are applied applied No existente 0 3

Incident Analysis (RS.AN):

Investigations are conducted to RS.AN-03: Analysis is performed to establish Analysis is performed to establish what has
ensure effective response and what has taken place during an incident and taken place during an incident and the root No existente 0 3
support forensics and recovery the root cause of the incident cause of the incident
activities

RS.AN-06: Actions performed during an Actions performed during an investigation are

investigation are recorded, and the records’ recorded, and the records' integrity and No existente 0 3
integrity and provenance are preserved provenance are preserved

RS.AN-07: Incident data and metadata are

Incident data and metadata are collected, and
collected, and their integrity and provenance
their integrity and provenance are preserved No existente 0 3
are preserved

RS.AN-08: An incident’s magnitude is An incident's magnitude is estimated and

estimated and validated validated No existente 0 2

Incident Response Reporting and

Communication (RS.CO): Response
activities are coordinated with RS.CO-02: Internal and external stakeholders Internal and external stakeholders are notified
No existente 0 3
internal and external stakeholders are notified of incidents of incidents
as required by laws, regulations, or
policies

RS.CO-03: Information is shared with Information is shared with designated internal

designated internal and external stakeholders and external stakeholders No existente 0 3

Incident Mitigation (RS.MI):

Activities are performed to prevent
expansion of an event and mitigate
its effects RS.MI-01: Incidents are contained Incidents are contained No existente 0 2

RS.MI-02: Incidents are eradicated Incidents are eradicated No existente 0 2

Copyright 2016 ISACA Page 25 of 32

NIST Cybersecurity Framework - Recover ISACA IS Audit/Assurance Program

Recomendaciones
Nivel de
Category Subcategory Description Result Valor Target Personas Procesos Tecnología
Madurez

RC.RP-01: The recovery portion of The recovery portion of the

the incident response plan is incident response plan is executed
executed once initiated from the once initiated from the incident No existente 0 3
incident response process response process

RC.RP-02: Recovery actions are

Recovery actions are selected,
selected, scoped, prioritized, and
scoped, prioritized, and performed No existente 0 3
performed

RC.RP-03: The integrity of backups

The integrity of backups and other
and other restoration assets is
Incident Recovery Plan verified before using them for
restoration assets is verified No existente 0 3
Execution (RC.RP): Restoration restoration before using them for restoration
activities are performed to
ensure operational availability
of systems and services RC.RP-04: Critical mission
Critical mission functions and
affected by cybersecurity functions and cybersecurity risk
cybersecurity risk management
incidents management are considered to
are considered to establish post- No existente 0 3
establish post-incident operational
incident operational norms
norms

RC.RP-05: The integrity of restored The integrity of restored assets is

assets is verified, systems and verified, systems and services are
services are restored, and normal restored, and normal operating No existente 0 3
operating status is confirmed status is confirmed

RC.RP-06: The end of incident The end of incident recovery is

recovery is declared based on declared based on criteria, and
criteria, and incident-related incident-related documentation is No existente 0 3
documentation is completed completed

RC.CO-03: Recovery activities and

Recovery activities and progress in
progress in restoring operational
restoring operational capabilities
capabilities are communicated to
are communicated to designated No existente 0 3
Incident Recovery designated internal and external
Communication (RC.CO): stakeholders internal and external stakeholders
Restoration activities are
coordinated with internal and
external parties
RC.CO-04: Public updates on Public updates on incident
incident recovery are shared using recovery are shared using No existente 0 3
approved methods and messaging approved methods and messaging

Copyright 2016 ISACA Page 26 of 32

 NIST CSF 2.0 Categories Target Company
Score Score
Overall 2.71 0.00
Organizational Context (GV.OC) 2.80 0.00
Risk Management Strategy (GV.RM) 2.29 0.00
GOVERN (GV)

Roles, Responsibilities, and Authorities (GV.RR) 2.75 0.00

Policy (GV.PO) 3.00 0.00
Oversight (GV.OV) 2.67 0.00
Cybersecurity Supply Chain Risk Management (GV.SC) 2.40 0.00
IDENTIFY (ID)

Asset Management (ID.AM) 2.86 0.00

Risk Assessment (ID.RA) 2.20 0.00
Improvement (ID.IM) 2.75 0.00
Identity Management, Authentication, and Access Control (PR.AA) 2.67 0.00
PROTECT (PR)

Awareness and Training (PR.AT) 3.00 0.00

Data Security (PR.DS) 2.50 0.00
Platform Security (PR.PS) 2.83 0.00
Technology Infrastructure Resilience (PR.IR) 2.75 0.00
DETECT (DE)

Continuous Monitoring (DE.CM) 2.40 0.00

Adverse Event Analysis (DE.AE) 2.67 0.00

Incident Management (RS.MA) 3.00 0.00
RESPOND (RS)

Incident Analysis (RS.AN) 2.75 0.00

Incident Response Reporting and Communication (RS.CO) 3.00 0.00
Incident Mitigation (RS.MI) 2.00 0.00
RECOVER (RC)

Incident Recovery Plan Execution (RC.RP) 3.00 0.00

Incident Recovery Communication (RC.CO) 3.00 0.00

Target Company
Score - By Score - By
category category
Overall 2.71 0.00
GOVERN (GV) 2.65 0.00
IDENTIFY (ID) 2.60 0.00
PROTECT (PR) 2.75 0.00
DETECT (DE)
2.53 0.00
RESPOND (RS)
2.69 0.00
RECOVER (RC) 3.00 0.00
 Overall
Company Score - Incident Recovery Communication (RC.CO)
By category
Incident Recovery Plan Execution (RC.RP) 5.0
0%

Incident Mitigation (RS.MI)

0.00 0%

Incident Response Reporting and Communication (RS.CO)

0.00 0%

Incident Analysis (RS.AN)

0.00 0%
0.0

Incident Management (RS.MA)

0.00 0%

Adverse Event Analysis (DE.AE)

0.00 0%

Continuous Monitoring (DE.CM)

0.00 0%
Technology Infrastructure Resilience (PR.IR)

Platform Security (PR.PS)

Data Security (PR.DS) A

Overall

5.0

RECOVER (RC)
 RECOVER (RC)

0.0

RESPOND (RS)

DETECT (DE) PROTECT (PR)

 Overall
cation (RC.CO) Organizational Context (GV.OC)
NIST Cyber Security Framework
5.0 Risk Management Strategy (GV.RM) Maturity Levels

Roles, Responsibilities, and Authorities (GV.RR)

5 - Optimizado
4 - Gestionado
3 - Definido
2 - Repetible
Policy (GV.PO) 1 - Inicial
0 - No existe

Oversight (GV.OV)

0.0

Cybersecurity Supply Chain Risk Management (GV.SC)

Asset Management (ID.AM)

Risk Assessment (ID.RA)

Improvement (ID.IM)
Target Score Company Score

R.PS) Identity Management, Authentication, and Access Control (PR.AA)

Data Security (PR.DS) Awareness and Training (PR.AT)

ll
NIST Cyber Security Framework
Maturity Levels
5.0

5 - Optimizado
GOVERN (GV) 4 - Gestionado
3 - Definido
2 - Repetible
1 - Inicial
0 - No existe
 GOVERN (GV) 4 - Gestionado
3 - Definido
2 - Repetible
1 - Inicial
0 - No existe

0.0

IDENTIFY (ID)

Target Score - By cat-

egory

Company Score - By cat-

egory

PROTECT (PR)
work

Company Score