Sample output
Cybersecurity readiness assessment
Sample cyber readiness assessment for Summit Ledger Co-op (sample)—self-assessment, not a pen test.
Use Overview, Actions, and Full brief to jump between the dashboard and narrative—the same brief preview tab you get after completing Discovery.
Export downloads use this Markdown body.
# Cybersecurity readiness assessment — sample _Template cybersecurity_assessment_v2 v1 · Cybersecurity readiness assessment_ --- # At a glance **Organization:** Summit Ledger Co-op (sample) **Cyber readiness score:** 44 / 100 **Coverage:** 14 / 21 mapped controls answered (7 missing) **Readiness band:** Developing **Top control gaps:** SOC 2 system boundary is defined, Risk assessment process, Change management **NIST CSF maturity (overall):** 44 / 100 **NIST coverage:** 14 / 21 mapped controls answered (7 missing) **NIST CSF maturity (by function):** Identify 20, Protect 48, Detect 47, Respond 41, Recover 56 **SOC 2 maturity (overall):** 44 / 100 **SOC 2 coverage:** 14 / 21 mapped controls answered (7 missing) **SOC 2 maturity (by criteria):** Security 42, Availability 52, Confidentiality 0, Processing Integrity 33, Privacy 0 **SOC 2 comparative posture (vs SaaS (all services cloud-hosted) baseline):** Security Below, Availability At, Confidentiality Below, Processing Integrity At, Privacy Below **Top NIST CSF gaps:** SOC 2 system boundary is defined, Risk assessment process, Change management **Top SOC 2 gaps:** SOC 2 system boundary is defined, Risk assessment process, Change management **Top incident scenarios:** Credential phishing and ransomware on endpoints. _This summary is advisory and designed to support incident-readiness planning priorities. It is not an audit opinion._ --- # Report scope & confidence **How to use this report:** Read the executive summary and appendix index first, skim the full brief for narrative context, then use framework appendices and the maturity comparison table for prioritized gaps. Update checklist answers as your posture changes and re-export when sharing with stakeholders. **How scores are derived:** The headline cyber readiness score and framework appendix domain scores use the same mapped control maturity answers (Not in place through Operationally proven). They are self-assessment snapshots, not independent testing, audit evidence, or certification. **Scoring model version:** cyber_scoring_v2 (mapped-control weighted rollups with explicit missing-control coverage). Keep this line when comparing reports over time. **Missing answers:** For controls that appear in your checklist, an empty or invalid maturity answer is treated as the lowest maturity for scoring and appendix tables, so incomplete sections read as lower readiness until you complete them. **What does not change the numeric mappings:** Free-text and plan fields (for example critical systems, sensitive data narrative, incident scenarios, and 30/60/90-day priorities) shape the full brief and priorities but are not fed into the framework score math. **Print and PDF:** Use your browser print dialog for a quick paper copy, or download the Markdown / PDF export from the report page. Built-in PDF uses a monospace layout; for board-ready decks, paste sections into your template or print from the preview after zooming to a comfortable width. **PCI DSS appendix:** Shown when payment exposure is indicated, or when payment scope is anything other than “processor-only / no card data stored” on your checklist. If you selected processor-only, the PCI appendix is omitted even if your business type touches retail or e-commerce. --- ## Appendix index 1. SOC 2 appendix (readiness view) 2. NIST CSF appendix (readiness view) 3. ISO/IEC 27001 appendix (readiness view) 4. CIS Controls v8 appendix (readiness view) 5. NIST SP 800-171 / CMMC appendix (readiness view) 6. NIS2 appendix (readiness view) 7. GDPR Article 32 appendix (readiness view) 8. PIPEDA safeguards appendix (readiness view) 9. OSFI B-13 appendix (readiness view) 10. DORA appendix (readiness view) 11. PCI DSS appendix (readiness view) 12. Maturity comparison across frameworks (visual snapshot) --- # Full brief # Business profile (quick) These quick choices tailor the assessment so you only see questions that apply to your business. Rough answers are fine. ### How many employees do you have (roughly)? _To be confirmed_ ### Industry (closest match) _To be confirmed_ ### Type of business (closest use case) SaaS (all services cloud-hosted) ### Where do you primarily operate? _To be confirmed_ ### How do you operate day-to-day? Hybrid (online + physical locations) ### We accept payments or financial transactions digitally Yes ### SOC 2 intent Considering ### Key vendors/third parties have access to our systems or sensitive data Yes ### Sensitive / regulated data types we handle (choose all that apply) Financial / payment-related data ### What systems would seriously disrupt the business if they went down? > M365, AWS production, Stripe ### Critical systems evidence sources _To be confirmed_ ### What sensitive information do you handle? > _To be confirmed_ ### Sensitive data evidence sources _To be confirmed_ --- # Identity & access Who can sign in, who has admin access, and how you prevent account takeovers. ### Multi-factor sign-in (MFA) coverage Mostly in place ### Admin / privileged access controls Mostly in place ### Regular access reviews (who has access to what) Partially in place --- # Protection & resilience Reducing preventable incidents and ensuring you can recover when something goes wrong. ### Keeping systems updated (patching) and fixing known vulnerabilities Mostly in place ### Device protection (endpoint security / EDR) coverage Mostly in place ### Backups and restore testing readiness Mostly in place --- # Detection & incident response Seeing suspicious activity early and having a plan the business can execute under pressure. ### Security visibility (logs) and monitoring Partially in place ### Incident response plan (what we do when something goes wrong) Mostly in place ### Practice drills (tabletop exercises) and playbook testing Partially in place --- # People & continuity Human-factor risk (phishing) plus the basics of business continuity and recovery planning. ### Staff security training and phishing reporting Mostly in place ### Security policies and governance Partially in place ### Business continuity and disaster recovery readiness Mostly in place --- # SOC 2 readiness (if applicable) Shown when you are considering or pursuing a SOC 2 report. This is not an audit—it's a readiness view mapped to the AICPA Trust Services Criteria. ### SOC 2 system boundary is defined (what’s in scope, what’s out) _To be confirmed_ ### Risk assessment process (identify and track security risks) _To be confirmed_ ### Change management (track/approve changes to production systems) _To be confirmed_ ### Security incident definition + escalation criteria are documented _To be confirmed_ ### Vendor due diligence for SOC 2 in-scope service providers _To be confirmed_ --- # Vendors & third parties (if applicable) Shown when vendors or third parties can access sensitive data or admin systems. ### Vendor / third-party risk management Partially in place --- # Payments & transactions (if applicable) Shown when you accept payments or run digital financial transactions. Focus is scoping, not a PCI audit. ### Where do payments happen? _To be confirmed_ ### Finance fraud controls (invoice/bank-change verification, approvals) Partially in place --- # On‑prem & physical locations (if applicable) Shown when you have physical locations or on‑prem systems. Keep it practical and high-level. ### Physical access controls for offices/servers (keys, badges, visitor log) _To be confirmed_ ### Network baseline controls (Wi‑Fi security, segmentation, device onboarding) _To be confirmed_ --- # Readiness summary & action plan Turn the assessment into a short, business-owned plan you can execute. ### Top incident scenarios you want to be ready for > Credential phishing and ransomware on endpoints. ### Confidence in incident scenario coverage (1-5) _To be confirmed_ ### 30/60/90-day readiness priorities | Timeline | Action | Owner | Success signal | | --- | --- | --- | --- | | | | | | --- # Maturity comparison across frameworks _Same checklist maturity answers, different framework rollups. Self-assessment only — not audit or certification evidence._ | Framework | Score (0-100) | Confidence | Visual (squares) | | --- | ---: | ---: | --- | | Cyber readiness (headline) | 44 | 67% | ■■■■■■■■■□□□□□□□□□□□ | | NIST CSF (overall) | 44 | 67% | ■■■■■■■■■□□□□□□□□□□□ | | SOC 2 (overall) | 44 | 67% | ■■■■■■■■■□□□□□□□□□□□ | | CIS Controls v8 (composite) | 1 | 91% | □□□□□□□□□□□□□□□□□□□□ | | GDPR Article 32 (composite) | 1 | 100% | □□□□□□□□□□□□□□□□□□□□ | | ISO/IEC 27001 (composite) | 1 | 100% | □□□□□□□□□□□□□□□□□□□□ | | NIS2 (composite) | 1 | 100% | □□□□□□□□□□□□□□□□□□□□ | | NIST SP 800-171 / CMMC (composite) | 1 | 91% | □□□□□□□□□□□□□□□□□□□□ | | OSFI B-13 (composite) | 1 | 90% | □□□□□□□□□□□□□□□□□□□□ | | PCI DSS (composite) | 1 | 86% | □□□□□□□□□□□□□□□□□□□□ | | PIPEDA safeguards (composite) | 1 | 100% | □□□□□□□□□□□□□□□□□□□□ | | DORA (composite) | 0 | 89% | □□□□□□□□□□□□□□□□□□□□ | **Visual:** 20 squares per row — filled (■) for completed portion of 0-100, empty (□) for the remainder. Sorted highest score first. Exported PDFs use plain characters for the same pattern. **Confidence:** Percent of mapped controls in scope for that row where a valid maturity level is selected. It measures answer completeness for this snapshot; missing selections still count as lowest maturity in the score column. **NIST CSF vs headline:** Both use the same mapped control answers, but NIST rolls up by CSF function while the headline is one weighted average across visible mapped controls — numbers usually track together but can diverge when function-level gaps differ. **Why some framework rows are absent** - **HIPAA Security Rule:** The composite row appears only when health data is in scope on the checklist. - **TISAX / IEC 62443:** The composite row appears only when the manufacturing / OT profile is selected. --- # SOC 2 appendix (readiness view) This appendix is a readiness mapping designed to help plan and prioritize. It is not an audit opinion. **Authoritative criteria source (AICPA Trust Services Criteria):** https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022 **SOC 2 maturity (by Common Criteria family):** CC1 20, CC2 50, CC3 0, CC6 43, CC7 49, CC8 48, CC9 20 **SOC 2 coverage:** 14 / 21 mapped controls answered (7 missing) ## Control index (derived) | Control | Criteria | Derived maturity | | --- | --- | --- | | CC1.1 — Integrity and ethical values | Security | Not in place | | CC1.2 — Board oversight and governance | Security | Not in place | | CC2.1 — Security communication and training | Security | Partially in place | | CC3.2 — Risk assessment process | Security | Not in place | | CC4.1 — Monitoring activities | Security | Partially in place | | CC5.2 — Change management controls | Security | Partially in place | | CC6.1 — Logical access (identification and authentication) | Security | Partially in place | | CC6.2 — Provisioning new access | Security | Partially in place | | CC6.3 — Modify/remove access (deprovisioning) | Security | Partially in place | | CC7.2 — Detect and respond to incidents | Security | Partially in place | | CC7.3 — Incident response | Security | Partially in place | | CC8.1 — Change management for system components | Security | Partially in place | | CC9.2 — Vendor management and due diligence | Security | Not in place | | A1.1 — Performance and capacity monitoring | Availability | Partially in place | | A1.3 — Recovery procedures | Availability | Partially in place | | C1.1 — Information classification | Confidentiality | Not in place | | PI1.1 — Input completeness | Processing Integrity | Partially in place | | P1.1 — Privacy notice | Privacy | Not in place | --- # NIST CSF appendix (readiness view) This appendix is a readiness mapping designed to help plan and prioritize. It is not a certification or attestation result. **Reference framework:** [NIST Cybersecurity Framework (CSF)](https://www.nist.gov/cyberframework) **NIST CSF maturity (overall):** 44 / 100 **NIST coverage:** 14 / 21 mapped controls answered (7 missing) **NIST CSF maturity (by function):** Identify 20, Protect 48, Detect 47, Respond 41, Recover 56 **Top NIST CSF gaps:** SOC 2 system boundary is defined, Risk assessment process, Change management ## Control index (derived) | Control | NIST CSF function(s) | Derived maturity | | --- | --- | --- | | Multi-factor sign-in (MFA) coverage | Protect | Mostly in place | | Admin / privileged access controls | Protect | Mostly in place | | Regular access reviews | Identify, Protect | Partially in place | | Keeping systems updated (patching) and fixing known vulnerabilities | Protect | Mostly in place | | Device protection (endpoint security / EDR) coverage | Protect, Detect | Mostly in place | | Backups and restore testing readiness | Recover, Protect | Mostly in place | | Security visibility (logs) and monitoring | Detect | Partially in place | | Incident response plan | Respond | Mostly in place | | Practice drills (tabletop exercises) and playbook testing | Respond, Recover | Partially in place | | Security awareness and phishing preparedness | Protect | Mostly in place | | Business continuity and disaster recovery readiness | Recover | Mostly in place | | Security policies and governance | Identify | Partially in place | | Vendor / third-party risk management | Identify, Protect | Partially in place | | SOC 2 system boundary is defined | Identify | _To be confirmed_ | | Risk assessment process | Identify | _To be confirmed_ | | Change management | Protect | _To be confirmed_ | | Security incident definition + escalation criteria | Respond | _To be confirmed_ | | Vendor due diligence for SOC 2 in-scope service providers | Identify, Protect | _To be confirmed_ | | Finance fraud controls | Protect, Detect, Respond | Partially in place | | Physical access controls | Protect | _To be confirmed_ | | Network baseline controls | Protect | _To be confirmed_ | --- # ISO/IEC 27001 appendix (readiness view) This appendix is a readiness mapping to help prioritize an ISMS roadmap. It is not certification evidence. **Reference framework:** [ISO/IEC 27001 information security management](https://www.iso.org/isoiec-27001-information-security.html) ## Domain readiness snapshot (derived) | Domain | Derived readiness score (0-100) | | --- | --- | | A.5 Organizational controls | 33 | | A.8 Technological controls | 59 | | A.5/A.6 Incident and resilience | 59 | ## Control index (derived) | Control | Related domain(s) | Derived maturity | | --- | --- | --- | | Multi-factor sign-in (MFA) coverage | A.8 Technological controls | Mostly in place | | Keeping systems updated (patching) and fixing known vulnerabilities | A.8 Technological controls | Mostly in place | | Device protection (endpoint security / EDR) coverage | A.8 Technological controls | Mostly in place | | Backups and restore testing readiness | A.5/A.6 Incident and resilience | Mostly in place | | Security visibility (logs) and monitoring | A.8 Technological controls | Partially in place | | Incident response plan | A.5/A.6 Incident and resilience | Mostly in place | | Practice drills (tabletop exercises) and playbook testing | A.5/A.6 Incident and resilience | Partially in place | | Business continuity and disaster recovery readiness | A.5/A.6 Incident and resilience | Mostly in place | | Security policies and governance | A.5 Organizational controls | Partially in place | | Vendor / third-party risk management | A.5 Organizational controls | Partially in place | --- # CIS Controls v8 appendix (readiness view) This appendix is a practical implementation readiness mapping and not a formal assessment. **Reference framework:** [CIS Critical Security Controls v8](https://www.cisecurity.org/controls/v8) ## Domain readiness snapshot (derived) | Domain | Derived readiness score (0-100) | | --- | --- | | Access control and account security | 59 | | Vulnerability and endpoint defense | 55 | | Monitoring and response | 46 | | Recovery and continuity | 67 | ## Control index (derived) | Control | Related domain(s) | Derived maturity | | --- | --- | --- | | Multi-factor sign-in (MFA) coverage | Access control and account security | Mostly in place | | Admin / privileged access controls | Access control and account security | Mostly in place | | Regular access reviews | Access control and account security | Partially in place | | Keeping systems updated (patching) and fixing known vulnerabilities | Vulnerability and endpoint defense | Mostly in place | | Device protection (endpoint security / EDR) coverage | Vulnerability and endpoint defense | Mostly in place | | Backups and restore testing readiness | Recovery and continuity | Mostly in place | | Security visibility (logs) and monitoring | Monitoring and response | Partially in place | | Incident response plan | Monitoring and response | Mostly in place | | Practice drills (tabletop exercises) and playbook testing | Monitoring and response | Partially in place | | Business continuity and disaster recovery readiness | Recovery and continuity | Mostly in place | | Network baseline controls | Vulnerability and endpoint defense | _To be confirmed_ | --- # NIST SP 800-171 / CMMC appendix (readiness view) This appendix is a high-level readiness mapping for controlled information environments and is not an audit result. **Reference framework:** [NIST SP 800-171](https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final) ## Domain readiness snapshot (derived) | Domain | Derived readiness score (0-100) | | --- | --- | | Access control | 59 | | Configuration and maintenance | 48 | | Awareness and incident response | 56 | | Audit and recovery | 57 | ## Control index (derived) | Control | Related domain(s) | Derived maturity | | --- | --- | --- | | Multi-factor sign-in (MFA) coverage | Access control | Mostly in place | | Admin / privileged access controls | Access control | Mostly in place | | Regular access reviews | Access control | Partially in place | | Keeping systems updated (patching) and fixing known vulnerabilities | Configuration and maintenance | Mostly in place | | Backups and restore testing readiness | Audit and recovery | Mostly in place | | Security visibility (logs) and monitoring | Audit and recovery | Partially in place | | Incident response plan | Awareness and incident response | Mostly in place | | Practice drills (tabletop exercises) and playbook testing | Awareness and incident response | Partially in place | | Security awareness and phishing preparedness | Awareness and incident response | Mostly in place | | Business continuity and disaster recovery readiness | Audit and recovery | Mostly in place | | Network baseline controls | Configuration and maintenance | _To be confirmed_ | --- # NIS2 appendix (readiness view) This appendix maps operational cybersecurity readiness themes commonly used in NIS2 planning. It is not legal advice. **Reference framework:** [EU NIS2 Directive](https://digital-strategy.ec.europa.eu/en/policies/nis2-directive) ## Domain readiness snapshot (derived) | Domain | Derived readiness score (0-100) | | --- | --- | | Risk management and governance | 44 | | Incident handling and reporting readiness | 46 | | Business continuity and supply chain resilience | 59 | ## Control index (derived) | Control | Related domain(s) | Derived maturity | | --- | --- | --- | | Backups and restore testing readiness | Business continuity and supply chain resilience | Mostly in place | | Security visibility (logs) and monitoring | Incident handling and reporting readiness | Partially in place | | Incident response plan | Incident handling and reporting readiness | Mostly in place | | Practice drills (tabletop exercises) and playbook testing | Incident handling and reporting readiness | Partially in place | | Security awareness and phishing preparedness | Risk management and governance | Mostly in place | | Business continuity and disaster recovery readiness | Business continuity and supply chain resilience | Mostly in place | | Security policies and governance | Risk management and governance | Partially in place | | Vendor / third-party risk management | Risk management and governance, Business continuity and supply chain resilience | Partially in place | --- # GDPR Article 32 appendix (readiness view) This appendix is a technical-and-organizational-measures readiness mapping and is not legal advice. **Reference framework:** [GDPR Article 32 security of processing](https://gdpr-info.eu/art-32-gdpr/) ## Domain readiness snapshot (derived) | Domain | Derived readiness score (0-100) | | --- | --- | | Confidentiality, integrity, availability, resilience | 67 | | Restore and continuity capability | 57 | | Regular evaluation and testing | 33 | ## Control index (derived) | Control | Related domain(s) | Derived maturity | | --- | --- | --- | | Multi-factor sign-in (MFA) coverage | Confidentiality, integrity, availability, resilience | Mostly in place | | Keeping systems updated (patching) and fixing known vulnerabilities | Confidentiality, integrity, availability, resilience | Mostly in place | | Backups and restore testing readiness | Confidentiality, integrity, availability, resilience, Restore and continuity capability | Mostly in place | | Security visibility (logs) and monitoring | Regular evaluation and testing | Partially in place | | Incident response plan | Restore and continuity capability | Mostly in place | | Practice drills (tabletop exercises) and playbook testing | Restore and continuity capability, Regular evaluation and testing | Partially in place | | Business continuity and disaster recovery readiness | Confidentiality, integrity, availability, resilience | Mostly in place | | Security policies and governance | Regular evaluation and testing | Partially in place | --- # PIPEDA safeguards appendix (readiness view) This appendix is a safeguards readiness mapping for Canadian privacy operations and is not legal advice. **Reference framework:** [PIPEDA](https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/) ## Domain readiness snapshot (derived) | Domain | Derived readiness score (0-100) | | --- | --- | | Administrative safeguards | 44 | | Technical safeguards | 57 | | Availability and incident preparedness | 67 | ## Control index (derived) | Control | Related domain(s) | Derived maturity | | --- | --- | --- | | Multi-factor sign-in (MFA) coverage | Technical safeguards | Mostly in place | | Admin / privileged access controls | Technical safeguards | Mostly in place | | Backups and restore testing readiness | Availability and incident preparedness | Mostly in place | | Security visibility (logs) and monitoring | Technical safeguards | Partially in place | | Incident response plan | Availability and incident preparedness | Mostly in place | | Security awareness and phishing preparedness | Administrative safeguards | Mostly in place | | Business continuity and disaster recovery readiness | Availability and incident preparedness | Mostly in place | | Security policies and governance | Administrative safeguards | Partially in place | | Vendor / third-party risk management | Administrative safeguards | Partially in place | --- # OSFI B-13 appendix (readiness view) This appendix is a practical readiness lens for cyber risk governance and resilience themes seen in B-13 programs. **Reference framework:** [OSFI Guideline B-13](https://www.osfi-bsif.gc.ca/) ## Domain readiness snapshot (derived) | Domain | Derived readiness score (0-100) | | --- | --- | | Governance and accountability | 33 | | Cyber operations and technology controls | 59 | | Incident and resilience lifecycle | 59 | ## Control index (derived) | Control | Related domain(s) | Derived maturity | | --- | --- | --- | | Multi-factor sign-in (MFA) coverage | Cyber operations and technology controls | Mostly in place | | Keeping systems updated (patching) and fixing known vulnerabilities | Cyber operations and technology controls | Mostly in place | | Device protection (endpoint security / EDR) coverage | Cyber operations and technology controls | Mostly in place | | Backups and restore testing readiness | Incident and resilience lifecycle | Mostly in place | | Incident response plan | Incident and resilience lifecycle | Mostly in place | | Practice drills (tabletop exercises) and playbook testing | Incident and resilience lifecycle | Partially in place | | Business continuity and disaster recovery readiness | Incident and resilience lifecycle | Mostly in place | | Security policies and governance | Governance and accountability | Partially in place | | Vendor / third-party risk management | Governance and accountability | Partially in place | | Network baseline controls | Cyber operations and technology controls | _To be confirmed_ | --- # DORA appendix (readiness view) This appendix is a resilience-oriented mapping for financial-sector ICT operations and is not regulatory advice. **Reference framework:** [EU Digital Operational Resilience Act (DORA)](https://finance.ec.europa.eu/digital-finance/digital-operational-resilience-act-dora_en) ## Domain readiness snapshot (derived) | Domain | Derived readiness score (0-100) | | --- | --- | | ICT risk management | 43 | | Incident management and reporting readiness | 46 | | Operational resilience and third-party risk | 59 | ## Control index (derived) | Control | Related domain(s) | Derived maturity | | --- | --- | --- | | Keeping systems updated (patching) and fixing known vulnerabilities | ICT risk management | Mostly in place | | Backups and restore testing readiness | Operational resilience and third-party risk | Mostly in place | | Security visibility (logs) and monitoring | Incident management and reporting readiness | Partially in place | | Incident response plan | Incident management and reporting readiness | Mostly in place | | Practice drills (tabletop exercises) and playbook testing | Incident management and reporting readiness | Partially in place | | Business continuity and disaster recovery readiness | Operational resilience and third-party risk | Mostly in place | | Security policies and governance | ICT risk management | Partially in place | | Vendor / third-party risk management | Operational resilience and third-party risk | Partially in place | | Network baseline controls | ICT risk management | _To be confirmed_ | --- # PCI DSS appendix (readiness view) This appendix is a payments-security readiness mapping and is not a PCI attestation. **Reference framework:** [PCI DSS](https://www.pcisecuritystandards.org/) ## Domain readiness snapshot (derived) | Domain | Derived readiness score (0-100) | | --- | --- | | Protect cardholder data environment | 48 | | Vulnerability and endpoint security | 67 | | Monitor and test networks | 46 | ## Control index (derived) | Control | Related domain(s) | Derived maturity | | --- | --- | --- | | Multi-factor sign-in (MFA) coverage | Protect cardholder data environment | Mostly in place | | Keeping systems updated (patching) and fixing known vulnerabilities | Vulnerability and endpoint security | Mostly in place | | Device protection (endpoint security / EDR) coverage | Vulnerability and endpoint security | Mostly in place | | Security visibility (logs) and monitoring | Monitor and test networks | Partially in place | | Incident response plan | Monitor and test networks | Mostly in place | | Practice drills (tabletop exercises) and playbook testing | Monitor and test networks | Partially in place | | Network baseline controls | Protect cardholder data environment | _To be confirmed_ |