How do you 'Identify'?
NIST Cybersecurity Framework: Identify
National Institute of Standards and Technology (NIST) maintains one of the most widely adopted cybersecurity frameworks for critical infrastructure and organisations in many other sectors. NIST Cybersecurity Framework is an excellent system to base the creation of policies and procedures on for the purposes of managing risk, security hardening networks, and incident response. There’s a lot of content in the Framework, which was designed to cover a lot of ground.
The Cybersecurity Framework consists of three main components: the Core, Implementation Tiers, and Profiles. The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. The Core guides organisations in managing and reducing their cybersecurity risks in a way that complements an organisation’s existing cybersecurity and risk management processes.
Fortunately the most important ideas in the Framework can be organised according to its five functions – identify, protect, detect, respond, and recover. We will tell you what you should know about all five functions. Let’s start with the first function, identify.
You can’t protect what you can’t see. So the first function is all about identifying all of the important resources your organisation must protect. What assets do we have? What is the relative importance of those assets in the wider context of our business environment? Which threats do they face, and what’s a manageable level of risk for your business or institution? How are we going to manage risk? How are we going to asses risk? The subject of risk are the assets of your organisation, not overlooking the supply chain.
Your organisation’s assets
The NIST Cybersecurity Framework considers your organisation’s assets to be both physical and in software, and recommends that you establish an asset management programme for them. Asset management is one of the main tasks of the identify function.
Many organisations these days have hybrid networks. Those are networks that have both an on premises component and a cloud services component. Your on premises network and your cloud network become integrated into one hybrid network. Or perhaps your organisation only has a network on your own premises. Your network could even be almost entirely in the cloud, with only client machines on your premises. Whichever form your organisation’s network takes, you must consider each server machine and networking appliance to be one of your assets if it’s important to the functioning of your business.
As far as cloud providers are concerned, they consider their responsibility to be their cloud infrastructure, whereas your organisation is responsible for your applications and data within their cloud infrastructure. If your organisation’s network is partly or completely in the cloud, you will have to consider this separation of responsibilities in the design of your asset management programme.
Regardless of which type of network your organisation has, you have operating systems and applications which are assets. You have servers, clients, data storage, and networking devices which are assets. Your organisation’s data is another crucial asset.
Your organisation and security stakeholders must take inventory of all of these assets and determine which are the most important to your organisation’s daily business processes. Asset management can be prioritised from there.
Your business environment
The next task of the identify function is to determine your organisation’s business environment.
Your business may exist as a component in a supply chain. For example, one company produces steel. The next company buys the steel and manufactures it into automobile components. The next company buys the automobile components and uses them to manufacture cars. Then the last company buys the cars and sells them to consumers through their auto dealership. The companies within this supply chain are interdependent. A cyber incident which affects the steel producer could impact the automobile component manufacturer, which could harm the supply chain all the way up to the auto dealership. These relationships and their consequences must be fully considered in the business environment task.
All organisations have objectives, legal, regulatory requirements, contractual requirements and a diverse business environment that they operate in which need to be fully understood.
Regardless of your organisation’s supply chain, your organisation and security stakeholders must also consider the prioritisation of the company’s mission, goals, all stakeholders, and processes. That information must be used in the creation of roles, responsibilities, methodologies and key security decision-makers.
Administrative security controls are essential to every organisation’s cybersecurity. Administrative security controls are your policies and procedures, and how they’re enforced.
In this governance task of the identify function, you need to understand your organisation’s various security policies for managing and monitoring regulatory, legal, risk, environmental and operational requirements. This task is especially important if your organisation is implementing the NIST Cybersecurity Framework after already having security policies.
Have those policies and procedures been effective so far? Have they been enforceable? Have they made an impact?
So your organisation determined your assets in a previous task. Now you must determine which risks they face. Absolutely everything has some degree of risk.
How could those risks affect your organisation’s users, your business, your employees, your clients, your critical IT systems and platforms you use in your everyday operations? What impact would particular cyber incidents have? If data is lost or stolen in a breach, how would that affect your operations, your legal standing, your regulatory compliance? All of these risks have practical effects and associated price tags.
Now that you have taken an inventory of your organisation’s assets and you’ve determined all of their associated risks, it’s time to manage them and there is a multitude of frameworks and guidance documents to turn to including ISO 31000, COSO, Octave, Ebioss, FAIR, Mehari, ISO 27005, CRAMM, SP800-30 etc...
Usually, but not always, a compromise must be made between usability and security, cost and benefit. For example, implementing a lot of sophisticated methods of authentication can be good for assuring the confidentiality and integrity of your network. But your users will also need to find these authentication methods to be usable. What are the risks to your data by making these authentication methods more or less complex? What level of risk can your organisation manage? Where is the cost benefit?
Systems that are of the greatest priority to your organisation may have much less risk tolerance, while lower priority systems may have more risk tolerance. You will need to identify how to manage risk throughout your network under the guidance of a cybersecurity lead with good judgement.
Effective risk management should also enable opportunity to ease off/relax controls to obtain business benefit but remain within the organisations risk appetite. Supply chain assets are as important as internal assets and should be subject to an equivalent level of appropriate risk management.
Identification is vital
You cannot protect what you do not know exists. So you’ve determined your organisation’s assets. You’ve considered the role of your business environment to your organisation’s supply chain and also within your business itself. You’ve analysed your organisation’s various policies and procedures. You’ve assessed your organisation’s risks, prioritised and decided how to manage them.
Now you’re ready to move onto the next NIST Cybersecurity Framework function, protect. Our next article will explore the Protect function.