Does your organization regularly conduct vulnerability assessments of business processes and procedures to identify potential cybersecurity weaknesses?
Explanation
Process-level weakness hunting is the focus here, asking whether you regularly run vulnerability assessments of your business processes and procedures to surface cybersecurity gaps. Such assessments should examine how information flows through your organization, where sensitive data is stored or transmitted, and how human behaviors might create security gaps that technical controls alone cannot address.
Evidence of compliance could include documented vulnerability assessment reports specific to business processes, gap analysis documents comparing current practices against security standards, or minutes from security review meetings where process weaknesses were identified and remediation plans developed.
Implementation Example
Review processes and procedures for weaknesses that could be exploited to affect cybersecurity
ID: ID.RA-01.152
Context
- Function
- ID: IDENTIFY
- Category
- ID.RA: Risk Assessment
- Sub-Category
- Vulnerabilities in assets are identified, validated, and recorded
Related questions
- Does your organization implement vulnerability management tools to detect unpatched software and misconfigurations?
- Does your organization regularly conduct security architecture reviews to identify and remediate design and implementation weaknesses?
- Does your organization conduct security reviews, analysis, or testing of internally developed software to identify vulnerabilities in design, code, and default configurations?
- Has your organization conducted a comprehensive physical security assessment of all facilities housing critical computing assets within the past 12 months?
- Does your organization actively monitor cyber threat intelligence sources for information about new vulnerabilities in your products and services?
- Has your organization configured cybersecurity tools to automatically ingest and operationalize threat intelligence feeds?

