The Identify Function of the NIST Cybersecurity Framework
Introduction
The first core function of the NIST Cybersecurity Framework is Identify and it's all about understanding and managing risks in your business or organization. This means identifying the things that support the business, like systems, people, assets, data, and capabilities, and understanding the cybersecurity risks that come along with them. By doing this, the organization can focus and prioritize its efforts in a way that is consistent with its risk management strategy and business needs. This will help the organization improve its risk management, increase efficiency, enhance compliance, and improve its incident response capabilities.
Identify Function
The purpose of the Identify function is to gain a comprehensive understanding of the key pieces that are necessary for your business to operate on a daily basis. Then includes identifying any potential risks that could affect these elements. By thoroughly identifying and understanding these components, you can make informed decisions about how to prioritize and protect your assets, while also effectively managing any risks that may come your way.
The Identify function is divided into six categories with additional sub-categories. We will look at these in more detail in the next section but for now, we'll show the list:
Asset Management
Physical devices and systems within the organization are inventoried
Software platforms and applications within the organization are inventoried
Organizational communication and data flows are mapped
External information systems are cataloged
Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
Business Environment
The organization's role in the supply chain is identified and communicated
The organization's place in critical infrastructure and its industry sector is identified and communicated
Priorities for organizational mission, objectives, and activities are established and communicated
Dependencies and critical functions for delivery of critical services are established
Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations)
Governance
Organizational cybersecurity policy is established and communicated
Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed
Governance and risk management processes address cybersecurity risks
Risk Assessment
Asset vulnerabilities are identified and documented
Cyber threat intelligence is received from information sharing forums and sources
Threats, both internal and external, are identified and documented
Potential business impacts and likelihoods are identified
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
Risk responses are identified and prioritized
Risk Management Strategy
Risk management processes are established, managed, and agreed to by organizational stakeholders
Organizational risk tolerance is determined and clearly expressed
The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis
Supply Chain Risk Management
Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders
Suppliers and third party partners of information systems, components, and services are identified, prioritized, and assessed using a cyber supply chain risk assessment process
Contracts with suppliers and third-party partners are used to implement appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.
Suppliers and third-party partners are routinely assessed using audits, test results, or other forms of evaluations to confirm they are meeting their contractual obligations.
Response and recovery planning and testing are conducted with suppliers and third-party providers
The Six Categories of the Identify Function
Asset Management is concerned with identifying and managing the data, systems, devices, personnel, and facilities that allow an organization to achieve its objectives. It includes activities such as inventorying physical systems and devices, mapping communication and data flows, and establishing cybersecurity roles and responsibilities for the workforce.
Business Environment focuses on understanding and prioritizing the mission, objectives, activities, and stakeholders of the organization. It includes activities such as identifying the organization's role in its supply chain and industry sector, establishing critical functions and dependencies, and establishing resilience requirements.
Governance is concerned with the policies, processes, and procedures that are used to monitor and manage organizational risk and regulatory requirements. It includes activities such as establishing and communicating the organization's cybersecurity policy, aligning and coordinating cybersecurity roles and responsibilities, and understanding and managing cybersecurity legal and regulatory requirements.
Risk Assessment involves understanding the relative cybersecurity risk associated with the organization's operations, assets, and individuals. It includes activities such as identifying and documenting vulnerabilities of organization assets, identifying and documenting internal and external threats and determining risk responses.
Risk Management Strategy is concerned with establishing the organization's priorities, risk tolerances, constraints, and assumptions, which are used to support operational risk decisions. It includes activities such as establishing and agreeing to risk management processes, establishing and expressing risk tolerance, and informing risk tolerance determination with industry-specific risk analysis.
Supply Chain Risk Management is concerned with managing supply chain risk, including identifying, assessing, and managing supply chain risks. It includes activities such as identifying and assessing suppliers and third-party partners of information systems, components, and services and implementing processes to mitigate supply chain risks.
Why It's Important
The Identify function is crucial for ensuring that an organization is aware of all of its assets and resources. Without a complete understanding of what needs to be protected, it is impossible for an organization to effectively implement cybersecurity measures. By thoroughly identifying and cataloging all assets and resources, an organization can ensure that nothing falls through the cracks and that all assets are accounted for. This includes both physical assets, such as servers and workstations, as well as intangible assets, such as data and intellectual property. Once all assets have been identified, an organization can then prioritize their protection based on their relative importance and value to the organization. This allows the organization to allocate its cybersecurity resources in the most effective way possible and to ensure that its most critical assets are adequately protected.
For example, if you don't know the value of your organization's intellectual property, you might not prioritize protecting it as much as you should. On the other hand, if you do know the value of your organization's intellectual property, you can focus on protecting it first, before moving on to other assets. Knowing the value of an asset also allows you to focus on the most important things facing the most risk first. This helps you make the most of your limited resources and ensures that you are protecting the things that matter most to your organization.
In addition to identifying assets and their values, it's also important to identify the risks and threats to those assets. This is because you have to identify the risks in order to identify potential solutions to protect against those risks. For example, if you know that your organization's customer data is at risk from a data breach, you can implement measures like encryption and regular security assessments to reduce the likelihood of a breach occurring.
Finally, it's important to identify the owners of assets so you can provide accountability and ensure that those responsible are doing what's necessary to protect their assets. This helps to ensure that all assets are being properly managed and that there is a clear chain of responsibility for protecting them.
Start by Identifying Assets
There are a few different approaches that businesses can take to identify all of their assets and resources for the purpose of the Identify function in the NIST Cybersecurity Framework. One approach is to use a combination of physical inventory and computer programs. For example, a business might start by physically visiting each department or location and making a list of all of the hardware and software assets, such as servers, workstations, mobile devices, and productivity software. This list can then be entered into a computer program, such as a spreadsheet, for tracking and management purposes.
In addition to physically inventorying hardware and software assets, it is also important to identify intangible assets, such as data and intellectual property. This can be done through a combination of physical inventory and digital record-keeping. For example, a business might create a list of all of its data assets, including customer data, financial data, and intellectual property, and store this information in a secure digital location, such as a cloud-based storage system.
Another approach to identifying assets and resources is to use specialized software tools. There are a number of software tools available that can help businesses automate the process of inventorying and tracking assets. These tools can scan a business's network and identify all of the hardware and software assets, as well as provide information about each asset's location, owner, and potential vulnerabilities.
Ultimately, the most effective approach to identifying assets and resources will depend on the size and complexity of the business, as well as the resources and expertise available. It may be necessary to use a combination of different approaches, such as physical inventory, computer programs, and specialized software tools, to ensure that all assets and resources are properly identified and tracked.
Value Assessment
Determining the value of assets/resources can be a complex process that involves input from various stakeholders within the organization. It is typically a collaborative effort between management and department managers to determine the value of assets based on their importance to the business. Here are a few points to consider when trying to determine the value of assets:
To determine the value of an asset or resource, it's important to consider how it contributes to the overall goals and objectives of the organization. This can involve both monetary value and non-monetary value. For example, a company's servers might have a high monetary value because they are expensive to replace, but they might also have a high non-monetary value because they are essential to the operation of the business.
Involve management and department leaders in the decision-making process. This can involve meetings or discussions to assess the importance of each asset or resource to the organization and its operations. You can use a scale, such as low, medium or high to assess the value of each asset or resource. This can help to prioritize efforts and allocate resources effectively.
It's also important to consider the potential impact of a loss or disruption of an asset or resource. For example, a server that stores important customer data might be considered more valuable than a printer that is used infrequently. By considering the potential impact of a loss or disruption, it's possible to more accurately assess the value of an asset or resource and prioritize efforts accordingly.
Review and update the values regularly: It is important to review and update the values of assets on a regular basis to ensure that they are accurate and reflect any changes in the organization's business needs or risk profile. This can be done through regular meetings or by using automated tools to track and update asset values.
Overall, the process of determining the value of assets/resources requires a thorough understanding of the organization's business needs and risk profile, as well as input from various stakeholders within the organization. By following these steps, organizations can effectively prioritize their efforts and make informed risk management decisions.
Risk Assessment
A risk assessment is a systematic process for identifying and evaluating potential risks to an organization. It involves assessing the likelihood and impact of potential threats and determining the appropriate safeguards to mitigate those risks. Conducting a risk assessment is an important step in managing cybersecurity risks and improving the organization's overall security posture.
Here are a few points to consider:
Identify the potential threats: Start by listing out all the potential threats to your organization's assets, including external threats like cyber attacks and internal threats like employee mistakes or accidents.
Assess the likelihood and impact of each threat: For each potential threat, try to estimate how likely it is to happen and what the impact would be if it did happen. You can use a scale like low, medium, or high, to help you gauge the likelihood and impact.
Determine the appropriate safeguards: Based on the likelihood and impact of each threat, determine the appropriate safeguards to mitigate those risks. For example, if you have identified a high likelihood and high-impact threat like a cyber attack, you might consider implementing strong security measures like firewalls and antivirus software.
Review and update your risk assessment regularly: It's important to regularly review and update your risk assessment to ensure that it remains accurate and effective. This might involve revisiting your threat list and reassessing the likelihood and impact of each threat, as well as updating your safeguards as necessary.
How to Identify Potential Threats
Understanding the threats faced by an organization is an essential step in developing an effective incident response plan. This involves identifying the types of threats that the organization is most likely to face and understanding the potential impact of those threats on the organization's assets, data, and operations.
A few key things to consider:
Conducting threat intelligence research can help the organization to stay informed about the latest trends and emerging threats in the cybersecurity landscape. This may involve subscribing to threat intelligence feeds, conducting research online, or working with a third-party provider to gather and analyze intelligence.
Monitoring for emerging threats is an ongoing process that involves regularly scanning the organization's systems and networks for signs of potential vulnerabilities or indicators of compromise. This may involve implementing security tools such as intrusion detection systems or vulnerability scanners to detect potential threats.
Identifying vulnerabilities in the organization's systems and networks is essential for developing an effective incident response plan. This may involve conducting regular security assessments or penetration tests to identify weaknesses in the organization's defenses.
Establishing A Baseline
Establishing a baseline of normal activity on an organization's systems and networks is an important step in detecting potential cybersecurity incidents. By understanding what is normal, it is easier to identify unusual activity that may indicate a potential incident. A few practical considerations are:
Monitoring network traffic can help to identify unusual patterns or volumes of traffic that may indicate a potential incident. This may involve using tools such as network analyzers or security information and event management (SIEM) systems to monitor and analyze traffic in real-time.
Monitoring user activity can help to identify unusual patterns of behavior or activity that may indicate a potential incident. This may involve using tools such as user activity monitoring software or access control systems to track and record user activity.
Monitoring system logs can help to identify unusual activity or errors that may indicate a potential incident. This may involve using tools such as log management software or security event management systems to collect and analyze log data from various systems and devices.
Once the organization has collected data on normal activity, it can establish a baseline to use as a reference point for detecting unusual activity. This may involve setting thresholds or rules for identifying unusual activity and establishing a process for responding to potential incidents.
To help you accomplish this you might consider some of the following tools:
Network scanners are tools that can be used to scan a network for open ports, services, and vulnerabilities. They can help to identify the devices and services that are running on a network, as well as any potential security weaknesses.
Configuration management tools are used to track and manage changes to the configuration of a system or network. They can help to establish a baseline configuration for a system or network and alert administrators to any changes or deviations from the baseline.
Vulnerability scanners are tools that can be used to identify vulnerabilities in a system or network. They can help to establish a baseline of known vulnerabilities and alert administrators to any new or previously unknown vulnerabilities.
Log management and analysis tools are used to collect, store, and analyze log data from various sources. They can help to establish a baseline of normal system and network activity and alert administrators to any unusual or suspicious activity.
Network traffic analysis tools are used to monitor and analyze network traffic in real-time. They can help to establish a baseline of normal network traffic patterns and alert administrators to any anomalies or deviations from the baseline.
There are many commercial products that use machine learning and artificial intelligence to analyze large amounts of data and identify anomalies in order to establish a baseline and protect against potential threats. These tools are particularly useful in medium to large businesses, where the volume of data can make it difficult to manually detect anomalies and vulnerabilities. However, it's important to note that these tools should be used in addition to other security measures, as relying solely on automated solutions may not provide sufficient protection.
Conclusion
In conclusion, the Identify function in cybersecurity risk management is all about understanding and managing the risks to your organization. This includes identifying all of the assets, resources, and data that support critical functions, as well as understanding the cybersecurity risks that come along with them. By performing a risk assessment and determining the value of each asset, you can prioritize your efforts and make sure they match your risk management strategy and business needs. In the next article, we'll discuss the Protect function, which focuses on implementing appropriate security controls and safeguards to help protect against potential threats and vulnerabilities.