Generative AI is still processing your NIST Framework assessment request.

Control Number	Control	Current Control Implementation from Evidence	Date
GV.OC - 01	The organizational mission is understood and informs cybersecurity risk management	The organization shares its mission through the Trust Portal, emphasizing transparency and trustworthiness in data protection, privacy, and regulatory compliance. This mission informs their cybersecurity risk management, as evidenced by their adherence to security frameworks and detailed security practices. Evidence: SecurityOverview.docx, Overview section; Security Frameworks section; Risk Profile section. Gaps: No explicit mention of how the mission statement directly informs risk management decisions. Implementation Rating: Partially Implemented	2025-03-24
GV.OC - 02	Internal and external stakeholders are understood, and their needs and expectations regarding cybersecurity risk management are understood and considered	The organization practices the control by identifying and addressing the expectations of internal and external stakeholders through various security measures, such as data security, physical security, access control, infrastructure, endpoint security, and network security. These practices align with the expectations of customers, regulatory bodies, and internal team members. Evidence: [SecurityOverview.docx], citation [Overview; Security Frameworks we follow; Risk Profile; Data Security; Physical Security; Access Control; Infrastructure; Endpoint Security; Network Security; Image Description (ComplianceAide Service boundary)] Gaps: None identified Implementation Rating: Fully Implemented	2025-03-24
GV.OC - 03	Legal, regulatory, and contractual requirements regarding cybersecurity - including privacy and civil liberties obligations - are understood and managed	The organization practices the control by maintaining compliance with global data protection regulations and ensuring data security measures align with legal, regulatory, and contractual requirements. They follow frameworks like NIST CF and implement various security measures including encryption, access control, and regular backups. Evidence: SecurityOverview.docx, Overview Section; SecurityOverview.docx, Security Frameworks we follow; SecurityOverview.docx, Data Security Section; SecurityOverview.docx, Access Control Section Gaps: No specific process to track and manage legal and regulatory requirements or contractual requirements was detailed. Implementation Rating: Partially Implemented	2025-03-24
GV.OC - 04	Critical objectives, capabilities, and services that external stakeholders depend on or expect from the organization are understood and communicated	The organization practices the control by regularly communicating its cybersecurity risk management strategy and expectations to stakeholders, establishing and communicating resilience objectives, and determining critical assets and business operations. Evidence: [SecurityOverview.docx], Overview Section; ComplianceAide's Trust Portal; Data Security Section; Access Control Section; Infrastructure Section; Network Security Section. Gaps: No identified gaps. Implementation Rating: Fully Implemented	2025-03-24
GV.OC - 05	Outcomes, capabilities, and services that the organization depends on are understood and communicated	The organization practices the control by maintaining an inventory of dependencies on major cloud providers (Azure and AWS) and documenting their relationships to business functions. They also identify and communicate potential points of failure in their infrastructure and security measures. Evidence: [SecurityOverview.docx], citation [2. Risk Profile: "Third Part Dependence: Yes"; "Hosting: Major Cloud Providers: Azure and Aws"]; [6. Infrastructure: "Status Monitoring: Azure: Our infrastructure is primarily hosted in Azure in multiple regions throughout North America."] Gaps: No evidence of sharing dependency information with appropriate personnel. Implementation Rating: Partially Implemented	2025-03-24
GV.RM - 01	Risk management objectives are established and agreed to by organizational stakeholders	The organization establishes and agrees to risk management objectives through transparent communication with stakeholders and adherence to recognized frameworks like NIST CF. Specific measurable objectives for data security, access control, infrastructure, endpoint, and network security are documented, reflecting the alignment of their priorities, constraints, and assumptions to support operational risk decisions. Evidence: [SecurityOverview.docx], Overview Section; Security Frameworks; Risk Profile; Data Security; Access Control; Infrastructure; Endpoint Security; Network Security. Gaps: No explicit evidence of senior leaders' agreement and use of objectives for measuring and managing risk and performance. Implementation Rating: Partially Implemented	2025-03-24
GV.RM - 02	Risk appetite and risk tolerance statements are established, communicated, and maintained	No evidence of implementation. Evidence: [No documents found] Gaps: No risk appetite and risk tolerance statements, no communication of risk levels, no periodic refinement based on risk exposure Implementation Rating: Not Implemented	2025-03-24
GV.RM - 03	Cybersecurity risk management activities and outcomes are included in enterprise risk management processes	The organization integrates cybersecurity risk management into enterprise risk management by following recognized frameworks, identifying third-party dependencies, and implementing data security, access control, and network security measures. However, specific evidence of including cybersecurity risk managers in enterprise risk management planning or criteria for escalating cybersecurity risks is lacking. Evidence: [SecurityOverview.docx], Overview Section; Security Frameworks we follow Section; Risk Profile Section; Data Security Section; Physical Security Section; Access Control Section; Infrastructure Section; Endpoint Security Section; Network Security Section. Gaps: No evidence of cybersecurity risk managers' involvement in enterprise risk management planning; No criteria for escalating cybersecurity risks. Implementation Rating: Partially Implemented	2025-03-24
GV.RM - 04	Strategic direction that describes appropriate risk response options is established and communicated	The organization has established a strategic direction for risk response options, including criteria for accepting and avoiding cybersecurity risks, reliance on third-party services, and the use of major cloud providers like Azure and AWS. However, there is no mention of cybersecurity insurance or shared responsibility models. Evidence: [SecurityOverview.docx], Overview Section; ComplianceAide's Approach to Data Security; Risk Profile; Data Security; Access Control; Infrastructure; Endpoint Security; Network Security. Gaps: No evidence of criteria for cybersecurity insurance or shared responsibility models. Implementation Rating: Partially Implemented	2025-03-24
GV.RM - 05	Lines of communication across the organization are established for cybersecurity risks, including risks from suppliers and other third parties	No evidence of implementation. Evidence: [No documents found] Gaps: No evidence found for updating senior executives, directors, and management on the organization's cybersecurity posture; No evidence found for communication of cybersecurity risks across various departments. Implementation Rating: Not Implemented	2025-03-24
GV.RM - 06	A standardized method for calculating, documenting, categorizing, and prioritizing cybersecurity risks is established and communicated	The organization has documented its approach to calculating, documenting, categorizing, and prioritizing cybersecurity risks through various sections in their security overview. They follow standardized frameworks like NIST CF, use a consistent list of risk categories, and have established criteria for risk prioritization. Evidence: SecurityOverview.docx, Section: Security Frameworks we follow; Section: Risk Profile; Section: Data Security; Section: Access Control; Section: Infrastructure; Section: Endpoint Security; Section: Network Security Gaps: No specific templates or quantitative criteria for cybersecurity risk analysis were mentioned. Implementation Rating: Partially Implemented	2025-03-24
GV.RM - 07	Strategic opportunities (i.e., positive risks) are characterized and are included in organizational cybersecurity risk discussions	The organization practices the control by identifying and documenting positive risks alongside negative risks in its risk profile. The organization follows the NIST CF framework and includes third-party dependencies and hosting information in its risk profile. However, there is no evidence of defined methods for identifying opportunities or stretch goals. Evidence: [SecurityOverview.docx], citation [Risk Profile Section]; [SecurityOverview.docx], citation [Security Frameworks we follow] Gaps: No evidence of defined methods for identifying opportunities or stretch goals. Implementation Rating: Partially Implemented	2025-03-24
GV.RR - 01	Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving	No evidence of implementation. Evidence: [No documents found] Gaps: No evidence of leadership roles and responsibilities, expectations for a secure and ethical culture, direction for the CISO, or reviews for authority and coordination. Implementation Rating: Not Implemented	2025-03-24
GV.RR - 02	Roles, responsibilities, and authorities related to cybersecurity risk management are established, communicated, understood, and enforced	No evidence of implementation. Evidence: [No documents found] Gaps: No documentation of risk management roles and responsibilities, no assignment of accountability for cybersecurity risk management, no inclusion of cybersecurity responsibilities in personnel descriptions, no documentation of performance goals for personnel with cybersecurity responsibilities, and no clear articulation of cybersecurity responsibilities within operations, risk functions, and internal audit functions. Implementation Rating: Not Implemented	2025-03-24
GV.RR - 03	Adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies	No evidence of implementation. Evidence: [No documents found] Gaps: No evidence of periodic management reviews, resource allocation, or investment in line with risk tolerance and response; no evidence of adequate and sufficient resources to support the cybersecurity strategy. Implementation Rating: Not Implemented	2025-03-24
GV.RR - 04	Cybersecurity is included in human resources practices	No evidence of implementation. Evidence: [No documents found] Gaps: No evidence of integrating cybersecurity risk management into HR processes, considering cybersecurity knowledge in HR decisions, conducting background checks, or defining/enforcing security policy obligations for personnel. Implementation Rating: Not Implemented	2025-03-24
GV.PO - 01	Policy for managing cybersecurity risks is established based on organizational context, cybersecurity strategy, and priorities and is communicated and enforced	No evidence of implementation. Evidence: [No documents found] Gaps: No specific risk management policy, periodic review, senior management approval, communication, or acknowledgment processes identified. Implementation Rating: Not Implemented	2025-03-24
GV.PO - 02	Policy for managing cybersecurity risks is reviewed, updated, communicated, and enforced to reflect changes in requirements, threats, technology, and organizational mission	No evidence of implementation. Evidence: [No documents found] Gaps: No specific evidence of policy review, updates based on risk management results, communication of changes, or enforcement reflecting changes in requirements, threats, technology, and organizational mission. Implementation Rating: Not Implemented	2025-03-24
GV.SC - 01	A cybersecurity supply chain risk management program, strategy, objectives, policies, and processes are established and agreed to by organizational stakeholders	No evidence of implementation. Evidence: [No documents found] Gaps: No evidence of a cybersecurity supply chain risk management program, strategy, objectives, policies, or processes. No cross-organizational mechanism for alignment between functions contributing to cybersecurity supply chain risk management. Implementation Rating: Not Implemented	2025-03-24
GV.SC - 02	Cybersecurity roles and responsibilities for suppliers, customers, and partners are established, communicated, and coordinated internally and externally	No evidence of implementation. Evidence: [No documents found] Gaps: Lack of specific roles or positions, documentation of roles and responsibilities in policies, responsibility matrices, inclusion of roles in personnel descriptions, performance goals, and third-party agreements. Implementation Rating: Not Implemented	2025-03-24
GV.SC - 03	Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes	The organization practices cybersecurity supply chain risk management by aligning it with enterprise risk management, acknowledging third-party dependencies, and integrating various security measures and controls into their processes. Evidence: [SecurityOverview.docx], citation [Overview Section; Security Frameworks we follow; Risk Profile Section; Data Security Section; Access Control Section; Network Security Section] Gaps: No explicit evidence of escalating material cybersecurity risks in supply chains to senior management. Implementation Rating: Partially Implemented	2025-03-24
GV.SC - 04	Suppliers are known and prioritized by criticality	The organization practices the control by managing suppliers based on their criticality, including third-party dependencies and major cloud providers like Azure and AWS. However, there is no specific mention of criteria development for supplier criticality or a prioritized record of suppliers. Evidence: [SecurityOverview.docx], citation [Risk Profile Section, Third Part Dependence: Yes; Hosting: Major Cloud Providers: Azure and Aws] Gaps: No evidence of explicit criteria for supplier criticality or a prioritized record of suppliers. Implementation Rating: Partially Implemented	2025-03-24
GV.SC - 05	Requirements to address cybersecurity risks in supply chains are established, prioritized, and integrated into contracts and other types of agreements with suppliers and other relevant third parties	No evidence of implementation. Evidence: [No documents found] Gaps: No evidence of established, prioritized, and integrated cybersecurity risk requirements in supply chain contracts and agreements. Implementation Rating: Not Implemented	2025-03-24
GV.SC - 06	Planning and due diligence are performed to reduce risks before entering into formal supplier or other third-party relationships	No evidence of implementation. Evidence: [No documents found] Gaps: No evidence of performing due diligence, assessing supplier technology and cybersecurity capabilities, conducting supplier risk assessments, or assessing the authenticity, integrity, and security of critical products. Implementation Rating: Not Implemented	2025-03-24
GV.SC - 07	The risks posed by a supplier, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored over the course of the relationship	No evidence of implementation. Evidence: [No documents found] Gaps: Lack of documented procedures for assessing and monitoring third-party risks, evaluating third parties' compliance with contractual cybersecurity requirements, and planning for supply chain-related interruptions. Implementation Rating: Not Implemented	2025-03-24
GV.SC - 08	Relevant suppliers and other third parties are included in incident planning, response, and recovery activities	No evidence of implementation. Evidence: [No documents found] Gaps: Lack of documentation on rules and protocols for incident response, roles and responsibilities of suppliers, inclusion of suppliers in incident response exercises, crisis communication methods, and collaborative lessons learned sessions. Implementation Rating: Not Implemented	2025-03-24
GV.SC - 09	Supply chain security practices are integrated into cybersecurity and enterprise risk management programs, and their performance is monitored throughout the technology product and service life cycle	No evidence of implementation. Evidence: [No documents found] Gaps: No specific evidence of supply chain security practices, provenance records, risk reporting, communication about trustworthy providers, maintenance by approved personnel, or checking for unauthorized changes in upgrades. Implementation Rating: Not Implemented	2025-03-24
GV.SC - 10	Cybersecurity supply chain risk management plans include provisions for activities that occur after the conclusion of a partnership or service agreement	The organization practices the control by implementing data deletion policies, access control reviews, and network security measures to manage cybersecurity risks, including those related to supplier termination and data protection. Evidence: SecurityOverview.docx, Overview; Risk Profile; Data Security; Access Control; Logging; Credential Security; Network Security. Gaps: No specific evidence of processes for terminating critical relationships, end-of-life maintenance support, deactivating supplier access, or managing data leakage risks associated with supplier termination. Implementation Rating: Partially Implemented	2025-03-24
ID.AM - 1	Inventories of hardware managed by the organization are maintained	The organization practices maintaining inventories of hardware through central management and security measures, including mobile device management (MDM) for all employee endpoints and network monitoring with firewalls and IDS. Evidence: SecurityOverview.docx, Section: Endpoint Security, "Mobile Device Management"; Section: Network Security, "Firewall" and "IDS" Gaps: No specific mention of inventory maintenance for IoT and OT devices; no evidence of automatic updates to inventories upon detecting new hardware. Implementation Rating: Partially Implemented	2025-03-24
ID.AM - 3	Representations of the organization's authorized network communication and internal and external network data flows are maintained	The organization maintains representations of authorized network communication and data flows by using firewalls, Cilium Network Policies, and centralized logging with IDS to monitor and control traffic. Evidence: [SecurityOverview.docx], citation [Section: Network Security, "Firewall: We use both Firewalls and Cilium Network Policies (firewalls for Kubernetes) to monitor and control traffic in our infrastructure."; "IDS: Network activity is centrally logged and arbitrary detection logic has been defined to identify attackers and other anomalous behavior and generate alerts for further investigation."] Gaps: No explicit mention of maintaining baselines for internal/external network data flows or documentation of expected network ports, protocols, and services. Implementation Rating: Partially Implemented	2025-03-24
ID.AM - 4	Inventories of services provided by suppliers are maintained	The organization maintains an inventory of external services, including major cloud providers (Azure and AWS), as part of their infrastructure and risk management practices. However, there's no specific mention of updating the inventory for new services. Evidence: SecurityOverview.docx, sections: Risk Profile (Third Party Dependence: Yes; Hosting: Major Cloud Providers: Azure and AWS), Infrastructure (Status Monitoring: Azure). Gaps: No evidence of updating the inventory when new external services are utilized. Implementation Rating: Partially Implemented	2025-03-24
ID. AM - 5	Assets are prioritized based on classification, criticality, resources, and impact on the mission	No evidence of implementation. Evidence: [Document Name: SecurityOverview.docx], citation [No relevant sections found] Gaps: No criteria for prioritizing assets, no application of prioritization criteria, no tracking or updating of asset priorities. Implementation Rating: Not Implemented	2025-03-24
ID.AM - 7	Inventories of data and corresponding metadata for designated data types are maintained	No evidence of implementation. Evidence: [No documents found] Gaps: No list of designated data types; No continuous discovery and analysis of data; No data classification through tags or labels; No tracking of data provenance, data owner, and geolocation. Implementation Rating: Not Implemented	2025-03-24
ID.AM - 8	Systems, hardware, software, services, and data are managed throughout their life cycles	The organization practices the control by conducting regular backups, encrypting data in transit, and securely deploying resources using infrastructure-as-code techniques. They also manage endpoints with full-disk encryption and advanced EDR solutions, and utilize MDM for centralized management. However, there is no evidence of integrating cybersecurity considerations throughout product life cycles, identifying shadow IT, or securely destroying data as per retention policies. Evidence: [SecurityOverview.docx], Overview; Data Security; Access Control; Infrastructure; Endpoint Security; Network Security. Gaps: No evidence of product life cycle integration, shadow IT identification, or secure data destruction practices. Implementation Rating: Partially Implemented	2025-03-24
ID.RA - 1	Vulnerabilities in assets are identified, validated, and recorded	No evidence of implementation. Evidence: [No documents found] Gaps: No mention of using vulnerability management technologies, assessing architectures, reviewing software, assessing facilities, monitoring cyber threat intelligence, or reviewing processes and procedures for weaknesses. Implementation Rating: Not Implemented	2025-03-24
ID.RA - 2	Cyber threat intelligence is received from information sharing forums and sources	No evidence of implementation. Evidence: [No documents found] Gaps: Lack of specific references to receiving and reviewing cyber threat intelligence, configuring cybersecurity tools for threat intelligence feeds, or monitoring sources for emerging vulnerabilities. Implementation Rating: Not Implemented	2025-03-24
ID.RA - 3	Internal and external threats to the organization are identified and recorded	The organization identifies and records internal and external threats using cyber threat intelligence, performs threat hunting, and implements processes for identifying internal threat actors. The evidence includes monitoring security events, using EDR solutions for endpoints, and employing IDS for network activity. Evidence: SecurityOverview.docx, section 5: "Logging: All important security events in our environment are monitored"; section 7: "Endpoint Detection & Response: All employee endpoints are protected with an advanced EDR solution"; section 8: "IDS: Network activity is centrally logged and arbitrary detection logic has been defined to identify attackers and other anomalous behavior and generate alerts for further investigation." Gaps: No evidence of specific threat hunting activities or detailed internal threat actor identification processes. Implementation Rating: Partially Implemented	2025-03-24
ID.RA - 4	Potential impacts and likelihoods of threats exploiting vulnerabilities are identified and recorded	No evidence of implementation. Evidence: [No documents found] Gaps: Lack of documentation on identifying and recording potential impacts and likelihoods of threats exploiting vulnerabilities. Implementation Rating: Not Implemented	2025-03-24