The NIST Framework is the ultimate roadmap for which the United States government outlines how businesses can develop their cybersecurity program to account for the threat landscape that is forever evolving. The framework is long and detailed but can be more easily understood when the recommended best practices and security measures are broken down into the five primary functions of security.
The first of those five functions is known as Identify, and it describes a series of activities that can be used to understand your cybersecurity threats and risks better. This function will also involve interpreting compliance requirements, recognizing current assets, and pinpointing the most critical systems to the organization.
It’s important to note that the “identify” function is a precursor to the other four functions of the framework. This means that before any security solutions are implemented, you need first to identify what you’re protecting (and protecting from), detecting for, responding to, and recovering from.
What Successful Identification (Outcomes) Looks Like
The NIST framework does a good job explaining how a business can accomplish its identifying process by dividing it into six categories that need to be addressed as part of robust identification. These six categories can broadly be interpreted as “outcomes” that you are trying to achieve within security identification.
The six categories of the NIST framework include:
- Assets Management→ Organizational devices, data systems, applications, servers, and personnel are identified and prioritized. Assets that need to be identified and prioritized include both internal and external third party devices, data, applications, servers, and personnel.
- Business Environment→ The organization’s mission, goals, stakeholders, and operational activities are identified to determine who would be in charge of what within the cybersecurity program.
- Governance→ Legal and regulatory requirements of the organization about cybersecurity are identified and evaluated compared to current organizational policies and procedures.
- Risk Assessment→ Cyber-related threats and risks to the organization are identified and understood.
- Risk Management Strategy→ The risk tolerance and priorities of an organization are determined for setting a risk standard for operational decisions.
- Supply Chain Risk Management→ Risk tolerance and priorities of an organization are determined to set a risk standard for managing third parties and suppliers. A third party includes any contractor, partner, service-provider (and their employees) who have access to your devices, data, applications, and/or server to any degree.
Within each of these outcomes are dozens of sub-categories in the form of activities that can address each category. For example, if a manufacturing company wanted to do an “identify” review for their security program, here are some things they can do to get started:
- Document all devices, applications, and data systems that they use for their operation and prioritize which ones are the most critical to keep running for their manufacturing operation to continue. (Asset Management)
- Hire a compliance expert to help them understand any information-security compliance requirements and to review their processes and procedures to evaluate where they are with those compliance requirements. (Governance)
- Conduct a vulnerability assessment and penetration test on their cybersecurity program to see which areas need further improvement or patching. (Risk Assessment)
- Establish cybersecurity program standards that must be held by any suppliers they choose to work with. (Supply Chain Risk Management)
Successful Identification is Comprehensive
ALL of these categories must be addressed to some degree to ensure that anything and everything that can be identified to enhance your cybersecurity program is indeed identified.
For instance, let’s say that your business did everything to identify the items pertinent to cybersecurity except for one category. Technology assets were all documented, roles & responsibilities were assigned, vulnerability testing was done, your risk priorities were established, and any third-party suppliers were assessed on their cybersecurity program to meet your requirements.
You failed, however, to meet any of the “identify” requirements in the “Governance” category. Because of this, despite hitting the other five types to some degree, you now put your organization at risk of legal and regulatory issues because you failed to identify any information-security compliance requirements that needed to be addressed.
Why Identify?
As previously mentioned, the Identify function is the first step that allows organizations to efficiently perform the other security framework functions. In addition to that, identification gives businesses a long list of benefits to their cybersecurity risk management that include:
- To organize information on current technology assets, systems, and processes.
- To assign personnel roles and responsibilities within the cybersecurity program.
- To ascertain legal and regulatory security requirements.
- To determine the cyber-related threats (internal and external) to your organization.
- To discover any security vulnerabilities, weaknesses, or gaps within your cybersecurity program.
- To establish your organization’s risk standard and tolerance to allow a consistent approach to decision making and managing third-parties
- To understand the financial and reputational impact that a cyber incident could have on your organization.
- To offer a baseline evaluation for moving into Zero Trust Architecture
Time to “Identify”
The “Identify” function of the NIST Cybersecurity Framework is a necessary prelude to protect from, detect for, respond to, and recover from a cyber incident. Ascension Global Technology can help you with identification so that you can fully understand your organization’s cybersecurity environment in terms of risks, compliance requirements, assets, and critical systems to build your comprehensive cybersecurity program further. Schedule a consultation with one of AGT’s security experts today to get started.
Written by AGT security practitioner, Jack Pittas