Table 3: Cybersecurity Domains
Quality Management Example
Designate and document a management-level individual responsible for
cybersecurity; implement policies and procedures; train employees.
Risk Governance Review, document, and record risk decisions when non-compliant with internal
policies and procedures.
Encryption Document and use processes for determining when encryption will be used and
acceptable methods, protocols, and key management approaches.
Document and use processes for determining specific identity and access
technology selections appropriate to technology (e.g. biometric scanning, two-
Document and use process for designing architectures and systems securely and
taking into account privacy principles; develop a repository of technology-
specific requirements for enterprise technologies used.
Document and use a process for gathering threat intel to anticipate potential
vulnerabilities or data exposure. Document a process for identifying
vulnerabilities and appropriate remediation timeframes.
Implement an asset management system and include information about
technologies used internally, implemented in systems or products, third party
status, and configuration information.
Document and use third parties providing equipment, infrastructure, or services.
Routinely assess third parties are following organization processes and
procedures and ensure compliance through standard contractual provisions.
Document and use processes and technologies for ensuring data and device
function integrity, such as file integrity monitoring or similar technologies.
Document, test, and use routine processes and procedures for detecting potential
incidents, such as intrusion prevention or detection systems, internal forensic
procedures, information sharing models, playbooks and processes, incident
response team and draft notification language.
use of firewalls, firewall management systems, DMZ, data loss prevention tools,
and network segmentation.
Document, test, and use processes for determining system priority and expected
uptime/downtime requirements. Document, test, and use processes for managing
disaster situations, including appropriate recovery procedures, emergency
operation, and storage of disaster recovery plans.
Document, test, and use appropriate retention requirements according to data
stored; archive and delete data securely. Ensure ability to ensure data can be
deleted in all systems as appropriate.