This document provides guidance on assessing cybersecurity risks and inventorying all hardware, software, and networked devices. It recommends identifying internal and external devices as well as owned and managed systems. Further, it suggests inventorying all items including operating systems, applications, utilities and their lifecycles. The document also stresses having a written data breach response plan that identifies employee roles and conducting regular breach drills. External systems should also be assessed for vulnerabilities and certified by vendors.