10
Nov

Identify: The First Step of the NIST Framework

November 10, 2021
, , , , , , , , ,

The NIST Framework is the ultimate roadmap for which the United States government outlines how businesses can develop their cybersecurity program to account for the threat landscape that is forever evolving. The framework is long and detailed but can be more easily understood when the recommended best practices and security measures are broken down into the five primary functions of security. 

The first of those five functions is known as Identify, and it describes a series of activities that can be used to understand your cybersecurity threats and risks better. This function will also involve interpreting compliance requirements, recognizing current assets, and pinpointing the most critical systems to the organization. 

It’s important to note that the “identify” function is a precursor to the other four functions of the framework. This means that before any security solutions are implemented, you need first to identify what you’re protecting (and protecting from), detecting for, responding to, and recovering from. 

What Successful Identification (Outcomes) Looks Like  

The NIST framework does a good job explaining how a business can accomplish its identifying process by dividing it into six categories that need to be addressed as part of robust identification. These six categories can broadly be interpreted as “outcomes” that you are trying to achieve within security identification. 

The six categories of the NIST framework include: 

  • Assets Management→ Organizational devices, data systems, applications, servers, and personnel are identified and prioritized. Assets that need to be identified and prioritized include both internal and external third party devices, data, applications, servers, and personnel.   
  • Business Environment→ The organization’s mission, goals, stakeholders, and operational activities are identified to determine who would be in charge of what within the cybersecurity program. 
  • Governance→ Legal and regulatory requirements of the organization about cybersecurity are identified and evaluated compared to current organizational policies and procedures. 
  • Risk Assessment→ Cyber-related threats and risks to the organization are identified and understood. 
  • Risk Management Strategy→ The risk tolerance and priorities of an organization are determined for setting a risk standard for operational decisions.     
  • Supply Chain Risk Management→ Risk tolerance and priorities of an organization are determined to set a risk standard for managing third parties and suppliers. A third party includes any contractor, partner, service-provider (and their employees) who have access to your devices, data, applications, and/or server to any degree. 

Within each of these outcomes are dozens of sub-categories in the form of activities that can address each category. For example, if a manufacturing company wanted to do an “identify” review for their security program, here are some things they can do to get started:

  • Document all devices, applications, and data systems that they use for their operation and prioritize which ones are the most critical to keep running for their manufacturing operation to continue. (Asset Management)  
  • Hire a compliance expert to help them understand any information-security compliance requirements and to review their processes and procedures to evaluate where they are with those compliance requirements. (Governance) 
  • Conduct a vulnerability assessment and penetration test on their cybersecurity program to see which areas need further improvement or patching. (Risk Assessment) 
  • Establish cybersecurity program standards that must be held by any suppliers they choose to work with. (Supply Chain Risk Management) 

Successful Identification is Comprehensive 

ALL of these categories must be addressed to some degree to ensure that anything and everything that can be identified to enhance your cybersecurity program is indeed identified. 

For instance, let’s say that your business did everything to identify the items pertinent to cybersecurity except for one category. Technology assets were all documented, roles & responsibilities were assigned, vulnerability testing was done, your risk priorities were established, and any third-party suppliers were assessed on their cybersecurity program to meet your requirements. 

You failed, however, to meet any of the “identify” requirements in the “Governance” category. Because of this, despite hitting the other five types to some degree, you now put your organization at risk of legal and regulatory issues because you failed to identify any information-security compliance requirements that needed to be addressed. 

Why Identify? 

As previously mentioned, the Identify function is the first step that allows organizations to efficiently perform the other security framework functions. In addition to that, identification gives businesses a long list of benefits to their cybersecurity risk management that include:

  • To organize information on current technology assets, systems, and processes. 
  • To assign personnel roles and responsibilities within the cybersecurity program. 
  • To ascertain legal and regulatory security requirements. 
  • To determine the cyber-related threats (internal and external) to your organization.
  • To discover any security vulnerabilities, weaknesses, or gaps within your cybersecurity program. 
  • To establish your organization’s risk standard and tolerance to allow a consistent approach to decision making and managing third-parties 
  • To understand the financial and reputational impact that a cyber incident could have on your organization.   
  • To offer a baseline evaluation for moving into Zero Trust Architecture   

Time to “Identify”  

The “Identify” function of the NIST Cybersecurity Framework is a necessary prelude to protect from, detect for, respond to, and recover from a cyber incident. Ascension Global Technology can help you with identification so that you can fully understand your organization’s cybersecurity environment in terms of risks, compliance requirements, assets, and critical systems to build your comprehensive cybersecurity program further. Schedule a consultation with one of AGT’s security experts today to get started.

Written by AGT security practitioner, Jack Pittas

Related Posts

FBI Internet Crime Report 2022

Special Message for Cybersecurity Awareness Month from AGT

Identify, Prioritize, Secure  

Leave a Reply

About Us

"AGT" offers complete end-to-end security protection through technology tools, cybersecurity strategy, consulting, and project management services. From addressing specific security gaps to a full environment cybersecurity strategy. With services designed to improve any organization’s overall organizational security posture, AGT develops strategies to implement and deploy successful cybersecurity solutions to protect companies from data and financial loss. 

Privacy Policy

Cookies
We serve cookies. If you think that's ok, just click "Accept all". You can also choose what kind of cookies you want by clicking "Settings".
Settings Accept all
Cookies
Choose what kind of cookies to accept. Your choice will be saved for one year.
Save Accept all