ID.IM-02: Improvements are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties


[ Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

3rd: 3rd Party Risk

Ex1: Identify improvements for future incident response activities based on findings from incident response assessments (e.g., tabletop exercises and simulations, tests, internal reviews, independent audits)

Ex2: Identify improvements for future business continuity, disaster recovery, and incident response activities based on exercises performed in coordination with critical service providers and product suppliers

Ex3: Involve internal stakeholders (e.g., senior executives, legal department, HR) in security tests and exercises as appropriate

Ex4: Perform penetration testing to identify opportunities to improve the security posture of selected high-risk systems as approved by leadership

Ex5: Exercise contingency plans for responding to and recovering from the discovery that products or services did not originate with the contracted supplier or partner or were altered before receipt

Ex6: Collect and analyze performance metrics using security tools and services to inform improvements to the cybersecurity program