Determine the cybersecurity maturity level of the organization for two assessment factors from two different domains using the statements below.

Submit a table with the domains identified that includes the following for each assessment factor:

Baseline

Evolving

Intermediate

Advanced

Innovative

Domain $1$: Cyber Risk Management and Oversight

Assessment Factor: Risk Management

Criteria: Risk Management Program

Baseline

An information security and business continuity risk management function$($s$)$ exists within the institution.

Evolving

The risk management program incorporates cyber risk identification, measurement, mitigation, monitoring, and reporting.

Management reviews and uses the results of audits to improve existing cybersecurity policies, procedures, and controls.

Management monitors moderate and high residual risk issues from the cybersecurity risk assessment until items are addressed.

Intermediate

The cybersecurity function has no clear reporting line.

The risk management program does not address cyber risks beyond the boundaries of the technological impacts.

There are no benchmarks or target performance metrics.

Management uses the results of independent audits and reviews to improve cybersecurity.

Advanced

The cybersecurity strategy outlines the institution$$s future state of cybersecurity with short$-$term and long$-$term perspectives.

Innovative

The cybersecurity strategy identifies and communicates the institution$$s role as it relates to other critical infrastructures.

Domain $2$: Threat Intelligence and Collaboration

Assessment Factor: Threat Intelligence

Criteria: Threat Intelligence and Information

Baseline

The institution belongs to a threat and vulnerability information sharing source that provides information on threats.

Threat information is used to monitor threats and vulnerabilities with some compensating controls.

Threat information is used to enhance internal risk management and controls.

Evolving

Threat information received by the institution does not include analysis of tactics, patterns, and risk mitigation recommendations.

Advanced

Cyber intelligence model is used for gathering threat information.

Innovative

A threat analysis system automatically correlates threat data to specific risks and then takes risk$-$based automated actions while alerting management.Determine the cybersecurity maturity level of the organization for two assessment factors from two different domains using the statements below.

Submit a table with the domains identified that includes the following for each assessment factor:

Baseline

Evolving

Intermediate

Advanced

Innovative

Domain $1$: Cyber Risk Management and Oversight

Assessment Factor: Risk Management

Criteria: Risk Management Program

Baseline

An information security and business continuity risk management function$($s$)$ exists within the institution.

Evolving

The risk management program incorporates cyber risk identification, measurement, mitigation, monitoring, and reporting.

Management reviews and uses the results of audits to improve existing cybersecurity policies, procedures, and controls.

Management monitors moderate and high residual risk issues from the cybersecurity risk assessment until items are addressed.

Intermediate

The cybersecurity function has no clear reporting line.

The risk management program does not address cyber risks beyond the boundaries of the technological impacts.

There are no benchmarks or target performance metrics.

Management uses the results of independent audits and reviews to improve cybersecurity.

Advanced

The cybersecurity strategy outlines the institution$$s future state of cybersecurity with short$-$term and long$-$term perspectives.

Innovative

The cybersecurity strategy identifies and communicates the institution$$s role as it relates to other critical infrastructures.

Domain $2$: Threat Intelligence and Collaboration

Assessment Factor: Threat Intelligence

Criteria: Threat Intelligence and Information

Baseline

The institution belongs to a threat and vulnerability information sharing source that provides information on threats.

Threat information is used to monitor threats and vulnerabilities with some compensating controls.

Threat information is used to enhance internal risk management and controls.

Evolving

Threat information received by the institution does not include analysis of tactics, patterns, and risk mitigation recommendations.

Advanced

Cyber intelligence model is used for gathering threat information.

Innovative

A threat analysis system automatically correlates threat data to specific risks and then takes risk$-$based automated actions while alerting management.