- ID:
This column contains the ID of the category being described and its connection with that particular function. e.g. Function: 'DE' points to the category "CM (Continuous Monitoring)", leading to the ID of that category being "DE.CM".
- CATEGORY:
This column describes the key focus of the organization in that particular category. e.g. For the category 'DE.CM', "Continuous Monitoring" is the key area of focus.
- METHODOLOGY:
Describes the methods and considerations the organization should carry out its risk assessment pertinet to the category being considered. e.g DE.CM describes process to be carried in continuous monitoring.
- SUB CATEGORY ID:
List the various sub-categories related to that specific category. e.g DE.CM (category) --> DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-6, DE.CM-9(Sub-Category).
- SUB CATEGORY DESCRIPTION:
This column describes each sub-category 'ID' e.g. DE.CM-1 has its own description, which is different from DE.CM-2.
- SUB CATEGORY MODIFICATIONS:
This column, contains the sub-category that "WITHDRAWN", The sub category, that was "NEWLY ADDED OR INTRODUCED" and where the withdrawn category was "MOVED TO".
DETECT function implements suitable security measures and principles to spot and analyze any cybersecurity breaches or incidents.
Below is listed the various Sub-categories of the "Detect Function" in planning your organization's risk assessment for its critical infrastructures.
DE.DP-->(GV.RR,DE.AE, & ID.IM) DE.CM-4-->(DE.CM-1 & DE.CM-9), DE.CM-5 -->(DE.CM-1 & DE.CM-9),
DE.CM-7 -->(DE.CM-1,DE.CM-3,DE.CM-6,DE.CM-9), DE.CM-8-->(ID.RA-1).
DE.DP: DE.DP-1,DE.DP-2, DE.DP-3, DE.DP-4, DE.DP-5.
DE.DP:
(DE.DP-1)-->(GV.RR-2),(DE.DP-2)-->(DE.AE), (DE.DP-3)-->(ID.IM-2), (DE.DP-4)-->(DE.AE-6), (DE.DP-5)-->(ID.IM & ID.IM-3).
DE.AE:
(DE.AE-1)-->(ID.AM-3),(DE.AE-5)-->(DE.AE-8).
| ID | CATEGORY | METHODOLOGY | SUB CATEGORY ID | SUB CATEGORY DESCRIPTION | SUB CATEGORY MODIFICATIONS |
| DE.CM | Continuous Monitoring. | Monitoring of Assets and Information:
function implements suitable security measures and principles to spot and analyze any cybersecurity breaches ("IoC's Indicator Of Compromise) or incidents. |
DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-6, DE.CM-9. |
DE.CM-1: All networks are monitored to detect potential cybersecurity events. DE.CM-2: The physical environment is monitored to detect potential cybersecurity events. DE.CM-3: Personnel activity is monitored to detect potential cybersecurity event. DE.CM-6: Activities of External service providers are monitored to detect potential cybersecurity events. DE.CM-9: All computing hardware and software, runtime environments, and their data are monitored to detect potential cybersecurity events. |
WITHDRAWN DE.CM-4,DE.CM-5,DE.CM-7, DE.CM-8. NEWLY ADDED DE.CM-9. MOVED TO Read Top of Page CATEGORY WITHDRAWN AND INCORPORATED INTO A NEW CATEGORY. |
| DE.AE | Adverse Event Analysis. | Annomalies and Indicator of Compromise:
Ensuring that the organization has a clear understanding of the Cybersecurity risk, and how it affects their operations (including reputation, mission, and functions), individuals, and the organizations assets at large. |
DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-6, DE.AE-7, DE.AE-8. |
DE.AE-2: Potentially adverse events detected are to be analyzed to understand the method of attacks and targets. DE.AE-3: Event data are accumulated from a myraid sources. DE.AE-4: Level of Impact of events are determined. DE.AE-6: All information regarding regarding the cyber incident are made available to authorized staff and tools. DE.AE-7: Cyber threat intelligence and other relevant information are integrated into the analysis. DE.AE-8: Incidents are declared when both adverse events meets the defined incident criteria. |
WITHDRAWN DE.AE-1, DE.AE-5. NEWLY ADDED DE.AE-6, DE.AE-7, DE.AE-8. MOVED TO Read Top of Page SUBCATEGORIES NOW INCORPORATED INTO. |