As we continue our journey on what it means to practice holistic cybersecurity and its comprehensive methodology, we can now go into the process of getting your business to that point. Everything about going holistic and fully implementing a robust security strategy such as Zero Trust starts with “Identity.”
Identification is merely the process of understanding your cybersecurity program regarding what it has and what it needs. This includes compliance & governance requirements, current technology assets, your personnel & other stakeholders, threats & advisories to your business, your current cybersecurity program, and security vulnerabilities that leave you susceptible to an incident.
It’s important to understand all of these aspects before you attempt to strategize and reconstruct your program. Without first identifying risks, requirements, stakeholders, and current controls, you’ll be unable to address your organization’s cybersecurity needs holistically. The NIST cybersecurity framework is an excellent resource to help you get started in this process — with an entire section dedicated just to the Identify function.
So what does it look like to identify some of these critical components within Identity?
Identifying Compliance and Governance Requirements
As a starting point, you need to determine any compliance requirements set forth for your industry or if you support a particular sector. For some famous examples, there’s HIPAA for information-security requirements surrounding health and health insurance data and PCI DSS, which is a standard for securely processing credit cards.
Some states also have their own compliance thresholds and requirements that are not industry-specific and applicable to anyone doing business in that state. The California Consumer Privacy Act, for instance, created provisions on how consumers’ data is processed and sets transparency requirements on how their data is being managed.
Identifying compliance also includes any contract specifications regarding security practices and controls when working with a client or acting as a subcontractor. It should be noted that compliance does not mean you’re fully secure and a robust identification process will help you see the difference.
Identifying Technology Assets
Next is understanding your technology assets and how they are related to one another. This includes determining, prioritizing, and taking inventory of your organizational devices, servers, applications, and the structure of your network as well as how it’s segmented. Furthermore, you should consider external devices, servers, and applications connected to your systems by a third-party contractor, vendor, or supplier.
A big part of Identity is also grasping how and where your data is managed. You want to know who has access to which database and where the information is being stored. For instance, your data might be on a public cloud, private cloud, and/or on an on-premise server. Regardless, you want to decipher and document everything in your technology arsenal including the specific data you manage.
Lastly, populate information on the platforms you use to manage and monitor your network resources. A common example of this is Active Directory (AD) which helps track and control everything happening with your users, applications, and devices. Ensure you also know who has AD access and some of the security controls around that.
Identifying Users and Stakeholders
You are now at the point where you need to identify the users of your technology assets and how they are using those systems. For the most part, users will be your employees but will also include other stakeholders such as contractors, vendors, and most importantly, your customers.
You need to know how each person is accessing your organization’s network and its resources, whether that be on the premises or remotely through a cloud application or virtual private network (VPN). This is also the time to note the roles of your personnel in terms of what systems they need for their day-to-day tasks and responsibilities.
Some key self-evaluation questions to ask yourself for Identity include:
- Who are all of my organization’s primary users (personnel)?
- Which technology resources do our personnel have access to and how?
- Who are the other stakeholders, including third-party organizations within my supply chain and customers I need to consider during this part of the identification process?
- Are my users and stakeholders aware of the controls they should be using, how to use those controls, as well as any identifiable risks to them through comprehensive security awareness training or an equivalent solution?
Identifying Controls and Risks
The last part of this Identity process is directly looking at your cybersecurity program, its controls, and processes to see what you already have. This encompasses preventative security software, network security tools, and administrative procedures for how users must do something such as practicing the principle of least privilege for data-security purposes — and these are just to name a few.
As part of understanding risks, you need to know who your specific adversaries are and the exploitable vulnerabilities in your program that could allow them to carry out a cyber attack successfully. For instance, manufacturing companies typically are great targets for ransomware because even the smallest amount of downtime from not paying the demand is extremely costly to that industry. These are crucial risk areas your organization needs to understand.
You can use information from the NIST framework as guidance for many of these things. Network vulnerability assessments can also help determine “gaps” in your overall system’s security posture. Additionally, penetration testing is a great way to test your security controls and the awareness of your personnel in a simulated environment.
Ask yourself some of the following questions to gain insights into your program and risks:
- What are the current technological, administrative, and physical solutions our organization uses to protect from outside and inside threats?
- Are there current gaps in our security that leave us vulnerable to a successful cyber attack?
- Who precisely are threats to my organization?
- Which types of cyberattacks will our adversaries utilize against us?
- Which resources will likely be threatened or compromised as a result of an attack and due to our vulnerabilities
Start Your Holistic Journey with Ascension Global Technology
Identity is the first step to easing into a comprehensive and holistic cybersecurity program and one we are ready to assist with. Contact us today to speak to an expert and get started.
This article is part of an “ultimate guide” series on the concept of holistic cybersecurity and how it can help your business. Be sure to check our blog page as more content is published on this vital topic.