The NIST CyberSecurity Framework: Identify

Happy CyberSecurity Awareness Month! In the spirit of cybersecurity and awareness, 11:11 Systems will be taking the month of October to dive into the NIST CyberSecurity Framework, and how it can be used to help protect your business.

In case you missed our introductory post outlining the series, we definitely recommend you take a look. Here’s a brief overview: Essentially, the NIST CyberSecurity Framework (CSF) outlines a strategy to determine your organization’s risks, how to protect against them, and, in the case of an attack, how to respond and recover from them. 

In this post, we’ll discuss the first of the five key framework functions: Identification. While this function is a bit tedious, doing it correctly will form the bedrock of the rest of your information security practices. As a former Systems Administrator at a state government organization, I’ve been through this exercise, and the annual follow ups of the data, many times.

Identify the Identification Categories

1. Asset Management: For those of us who have worked in Information Technology/Security, we all know the first step of fixing any problem: taking inventory. In this case, we need to talk about setting the ground work for modern Asset Management. This isn’t just tracking the serial numbers and warranty expiration of your field laptops anymore. Instead we must be concerned with knowing everywhere our data, personnel, systems, and facilities are. This can still absolutely be the salesperson’s laptop, but it can equally be a partner SaaS application or an IoT sensor in a corn field. We may not necessarily rate all of those things as equal, but we do need to know that they all exist. This is what the Asset Management category is for.
2. Business Environment: I’ve always been a fan of the idea that the more your IT department understands your business, the better they can serve your needs. That is exactly what this step is about. To fully understand your business environment, you need to understand your organization’s mission and objectives and, of course, who the stakeholders are. This also must include knowing what activities are prioritized within the organization. While things like email are important, where does that rate compared to Line of Business applications or payroll?
3. Governance: Before we can go about protecting our data and systems, we must understand what guardrails are already in place. This is where policies and procedures come in. As part of identifying your footing you must look at things like Computer Use and Abuse policies to make sure you are inline with your needs for internal risks, and Privacy Policies to know what is allowable in terms of storing personal data of stakeholders. These and other policies should be living documents that evolve with your business and technology over time, but always serve as the guides towards how you manage data.
4. Risk Assessment: Here is where we really start to get into the continuous lifecycle of the NIST CSF. The word “identify” may feel like a “do this once” type of task, but the reality is there are new risks to your company and its security emerging every day. Risks can be everything from the USB key mentioned earlier to a version of OpenSSH being vulnerable to a 0-day exploit. To stay on top of this in a modern organization takes more than an anti-virus system, but instead a layered approach leveraging multiple monitoring and automated response systems. These systems can easily become too much for even a large IT team, so you may want to consider a Managed Security platform that consolidates this information into meaningful alerting and can even assist with response.
5. Risk Management Strategy: You now know what you have, why you have it, what guidelines your organization utilizes, and what your risk baseline looks like. Now we have to take all of that data and develop a strategy based on the priorities, constraints, and risks you’ve identified.
   
   
6. Supply Chain Risk Management: The final category of the “Identify” function is to look at your own supply chain. While often overlooked, your supply chain can insert great deals of risk into your organization’s CyberSecurity posture. This step includes understanding where all of your critical consumables come from, what kind of contracts are in use with them, what the terms of those contracts are, and what kind of disaster recovery plans those suppliers provide. You can secure your systems and business all you want but if a SaaS provider has weak security controls you now have potentially opened yourself up to new risk.

Conclusion

As you’ll be learning through the course of this blog series, the NIST CyberSecurity Framework should provide a set of thought exercises that are constantly changing and evolving with your business and the InfoSec landscape around it. In the “Identify” function you should consider looking at all facets of your business to fully understand what your business is, what its risks are, and how to begin to strategize managing those risks. While this seems like a Herculean task for organizations of all shapes and sizes, here at 11:11 Systems we have decades of experience in assisting you through these exercises and can help provide the tools and expertise to complete this successfully.