Happy CyberSecurity Awareness Month! In the spirit of cybersecurity and awareness, 11:11 Systems will be taking the month of October to dive into the NIST CyberSecurity Framework, and how it can be used to help protect your business.
In case you missed our introductory post outlining the series, we definitely recommend you take a look. Here’s a brief overview: Essentially, the NIST CyberSecurity Framework (CSF) outlines a strategy to determine your organization’s risks, how to protect against them, and, in the case of an attack, how to respond and recover from them.
In this post, we’ll discuss the first of the five key framework functions: Identification. While this function is a bit tedious, doing it correctly will form the bedrock of the rest of your information security practices. As a former Systems Administrator at a state government organization, I’ve been through this exercise, and the annual follow ups of the data, many times.
Talking it OutWhile there are defined categories of this step, as we are outlining below, the common theme of this function should be COMMUNICATION. Let’s be honest, even as the SysAdmin of the smallest shop, you aren’t going to know every way in which your users are using technology. It could be anything from your organization’s Microsoft 365 subscription to the USB key that an accountant is using to take spreadsheets home at night. With the rise of cloud-based SaaS, the threat vector is growing by the minute.
For this reason, your “Identification” exercise needs to begin with data gathering from the stakeholders within your business. This may be as simple as requesting managers outline what applications their reports are using and where the data is stored to leveraging automated security scanning and monitoring services such as 11:11 Continuous Risk Scanning to detect security vectors you didn’t know were there.
Most likely, your organization’s answer is going to be C: “All of the Above.” And this is where 11:11 can help. By working with you, we can help you identify what systems are your largest risks and start you on the path towards protecting them.
Identify the Identification Categories
- Asset Management: For those of us who have worked in Information Technology/Security, we all know the first step of fixing any problem: taking inventory. In this case, we need to talk about setting the ground work for modern Asset Management. This isn’t just tracking the serial numbers and warranty expiration of your field laptops anymore. Instead we must be concerned with knowing everywhere our data, personnel, systems, and facilities are. This can still absolutely be the salesperson’s laptop, but it can equally be a partner SaaS application or an IoT sensor in a corn field. We may not necessarily rate all of those things as equal, but we do need to know that they all exist. This is what the Asset Management category is for.
- Business Environment: I’ve always been a fan of the idea that the more your IT department understands your business, the better they can serve your needs. That is exactly what this step is about. To fully understand your business environment, you need to understand your organization’s mission and objectives and, of course, who the stakeholders are. This also must include knowing what activities are prioritized within the organization. While things like email are important, where does that rate compared to Line of Business applications or payroll?
- Governance: Before we can go about protecting our data and systems, we must understand what guardrails are already in place. This is where policies and procedures come in. As part of identifying your footing you must look at things like Computer Use and Abuse policies to make sure you are inline with your needs for internal risks, and Privacy Policies to know what is allowable in terms of storing personal data of stakeholders. These and other policies should be living documents that evolve with your business and technology over time, but always serve as the guides towards how you manage data.
- Risk Assessment: Here is where we really start to get into the continuous lifecycle of the NIST CSF. The word “identify” may feel like a “do this once” type of task, but the reality is there are new risks to your company and its security emerging every day. Risks can be everything from the USB key mentioned earlier to a version of OpenSSH being vulnerable to a 0-day exploit. To stay on top of this in a modern organization takes more than an anti-virus system, but instead a layered approach leveraging multiple monitoring and automated response systems. These systems can easily become too much for even a large IT team, so you may want to consider a Managed Security platform that consolidates this information into meaningful alerting and can even assist with response.
- Risk Management Strategy: You now know what you have, why you have it, what guidelines your organization utilizes, and what your risk baseline looks like. Now we have to take all of that data and develop a strategy based on the priorities, constraints, and risks you’ve identified.
- Supply Chain Risk Management: The final category of the “Identify” function is to look at your own supply chain. While often overlooked, your supply chain can insert great deals of risk into your organization’s CyberSecurity posture. This step includes understanding where all of your critical consumables come from, what kind of contracts are in use with them, what the terms of those contracts are, and what kind of disaster recovery plans those suppliers provide. You can secure your systems and business all you want but if a SaaS provider has weak security controls you now have potentially opened yourself up to new risk.
As you’ll be learning through the course of this blog series, the NIST CyberSecurity Framework should provide a set of thought exercises that are constantly changing and evolving with your business and the InfoSec landscape around it. In the “Identify” function you should consider looking at all facets of your business to fully understand what your business is, what its risks are, and how to begin to strategize managing those risks. While this seems like a Herculean task for organizations of all shapes and sizes, here at 11:11 Systems we have decades of experience in assisting you through these exercises and can help provide the tools and expertise to complete this successfully.