Cybersecurity Framework 2.0
GOVERN
The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
IDENTIFY
The organization’s current cybersecurity risks are understood.
PROTECT
Safeguards to manage the organization’s cybersecurity risks are implemented.
DETECT
Potential cybersecurity attacks and compromises are discovered and analyzed.
RESPOND
Actions regarding a detected cybersecurity incident are taken.
RECOVER
Assets and operations affected by a cybersecurity incident are restored.
Risk Management Framework
CATEGORIZE
Categorize the systems and the information processed, stored, and transmitted by that system based on an impact analysis
SELECT
Select an initial set of baseline security controls for the system based on the security categorization; tailoring and supplementing the security control baseline as needed based on organization assessment of risk and local conditions.
IMPLEMENT
Implement the security controls and document how the controls are deployed within the system and environment of operations.
ASSESS
Assess the security controls using appropriate procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
AUTHORIZE
Authorize system operations based upon a determination of the risk to organizational operations and assets, individuals, third-parties and resident or processing countries resulting from the operation of the system and the decision that this risk is acceptable.
MONITOR
Monitor and assess selected security controls in the system on an ongoing basis including assessing security control effectiveness, documenting changes to the system or environment of operation, conducting security impact analyses of the associated changes, and reporting the security state of the system to appropriate organizational officials.
Data Privacy Framework
IDENTIFY
Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
GOVERN
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
CONTROL
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
COMMUNICATE
Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
PROTECT
Develop and implement appropriate data processing safeguards.
Artificial Intelligence Risk Management Framework
GOVERN
Policies, processes, procedures and practices across the organization related to the mapping, measuring and managing of AI risks are in place, transparent, and implemented effectively.
MAP
Context to frame risks related to an AI system is established and understood.
MEASURE
Quantitative, qualitative, or mixed-method tools, techniques, and methodologies are employed to analyze, assess, benchmark, and monitor AI risk and related impacts.
MANAGE
Risk resources are allocated to mapped and measured risks on a regular basis and as defined by the GOVERN function.
