8.7 Mobilizing organizational resources for priority II

Determine how IT security staff are trained and develop a program to improve training.

Determine if there are opportunities to work with local lawenforcement agencies on joint training exercises.

Determine how the organization obtains information on vulnerabilities and develop steps to obtain more timely information on vulnerabilities.

Determine if the organization actually uses information on vulnerabilities to keep security methods updated and make changes in the approach if necessary.

Determine if the technology used by the organization meets the Common Criteria standards and make plans to migrate away from technologies that do not meet the standards.

Determine if the technology-acquisition process used by the organization requires that products meet Common Criteria standards and modify procedures as necessary.

Evaluate the configuration-management processes and procedures of the organizations to determine if they provide sufficient levels of control to improve security and modify procedures as necessary.

Evaluate the process and procedures for installing patches to eliminate vulnerabilities and modify procedures as necessary.

Evaluate the physical security of computer and network facilities to determine if they meet minimum standards or customary standards for the industry sector and modify physical security procedures as necessary.

Determine if the organization wants to make recommendations for priorities in cybersecurity research.