* Identify Controls: Look at each Subcategory if it is administrative, physical, or technical, control. Once you identify the control, you have to indicate if it is preventative, detective, or corrective. For example, if you put "Firewall" as a control under physical column, then you need to indicate if it is preventative, detective or corrective.

Task:

* Provide 10 controls throughout the spreadsheet.

* Must do at least 4 of the 6 Categories.

* No more than one control per chosen subcategory.

*No more than 5 Administrative controls across the spreadsheet.

*No more than 2 physical controls across the spreadsheet.

* Provide at least 3 Technical controls to apply across the spreadsheet.

Category Subcategory Administrative (P/D/C) Physical (P/D/C) Technical (P/D/C) ID.GV-1: Organizational cybersecurity policy is established and communicated ID.GV-2: Cybersecurity roles and Governance (ID.GV): The policies, responsibilities are coordinated and aligned procedures, and processes to manage and with internal roles and external partners monitor the organization's regulatory, egal, risk, environmental, and operational requirements are understood and inform ID.GV-3: Legal and regulatory the management of cybersecurity risk. requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed ID.GV-4: Governance and risk management processes address cybersecurity risks ID.RA-1: Asset vulnerabilities are identified and documented ID.RA-2: Cyber threat intelligence is received from information sharing forums and sources Risk Assessment (ID.RA): The ID.RA-3: Threats, both internal and organization understands the cybersecurity external, are identified and documented risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. DD.R4-4: Potential business impacts and likelihoods are identified ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk ID.RA-6: Risk responses are identified and prioritized ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders Risk Management Strategy (ID.RM): The organization's priorities, constraints, risk tolerances, and assumptions are established and used to support operational D.RM-2: Organizational risk tolerance is risk decisions. determined and clearly expressed ID.RM-3: The organization's determination of risk tolerance is informed by its role in critical infrastructure and ID.SC-1: Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders ID.SC-2: Suppliers and third party partners of information systems, components, and services are identified, Supply Chain Risk Management prioritized, and assessed using a cyber (ID.SC): ID.SC-3: Contracts with suppliers and The organization's priorities, constraints, third-party partners are used to implement risk tolerances, and assumptions are appropriate measures designed to meet the established and used to support risk objectives of an organization's decisions associated with managing supply cybersecurity program and Cyber Supply chain risk. The organization has established and implemented the processes D.SC-4: Suppliers and third-party to identify, assess and manage supply partners are routinely assessed using audits, chain risks. test results, or other forms of evaluations to confirm they are meeting their contractual obligations. D.SC-5: Response and recovery planning and testing are conducted with suppliers and third-party providers