NIST Cybersecurity Framework 2.0: Identify
authors: mark keppler, steve foret
Cybersecurity Frameworks Series, part 5
Today, we dive into the second (originally first) sub-function of the NIST CSF. As discussed in our previous blog, the IDENTIFY function had formerly included parts of what is now in GOVERN.
Sub-functions of IDENTIFY include:
Asset Management (ID.AM):
Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy.
This sub-function goes well beyond asset inventory. It requires software and data inventories as well as an inventory of network connections. I like this update as it gets deep into understanding your environment. Though we may think of business impact as being more applicable to RECOVERY, you really do have to value your assets in this domain to understand how critical the assets are.
Our experience is that most organizations do some but not all asset management well. Where organizations commonly fall short is with an incomplete inventory that does not include all connected assets (due to a lack of discovery). We may see a hardware inventory but not a software inventory. Also, we often see organizations with inventories that lack some important information (e.g. server inventory that fails to explain the purpose of each server). The biggest gap though is clearly in the data inventory. Most organizations do not have an inventory of data or flow diagrams (organizations under PCI may be exceptions but even those organizations tend to only have data flow diagrams for applications in the scope of PCI). Even beyond data centric flows, many do not have business flows communicated with the technology and security teams to further assess data controls.
Risk Assessment (ID.RA):
The cybersecurity risk to the organization, assets, and individuals is understood by the organization.
Though Risk Management moved to GOVERN, Risk Assessment stays in IDENTIFY. Risk Assessment covers vulnerability identification and threat assessment. Again, in this sub-function we have a requirement (ID.RA-04) for a business impact analysis (BIA).
It is interesting that NIST separated out Risk Management and Risk Assessment. Opinions differ on this separation. Some argue they should be separate in their definitions, given that Risk Assessment can be very granular whereas Risk Management tends to focus on higher-level governing; others argue the separation is unnecessary, especially if organizations follow both sub-functions. Risks in this context are mostly related to identifying vulnerabilities at the asset level and understanding what the vulnerabilities mean in terms of actual risk. Many organizations we’ve worked with are solid when it comes to vulnerability management, but taking the next step to determine the risk is not always done.
Improvement (ID.IM):
Improvements to organizational cybersecurity risk management processes, procedures and activities are identified across all CSF Functions.
This sub-function is a welcome change to IDENTIFY as it stresses continuous improvement resulting from various sources (e.g. incidents, third-party risk, risk assessments, and security testing).
This sub-function drives continuous improvement through standard operating procedures. One requirement of the sub-function is for defined response plans in the procedures. While this feels out of place in this domain, improving plans on an ongoing basis does fit and you cannot do that if they have not been defined in the first place.
Continuous improvement is one of the key goals for all cybersecurity programs, but this is not something seen at all organizations. It takes a lot of effort and focus, but you won’t significantly improve otherwise.
That concludes our deep dive into the IDENTIFY function. We will take a deep dive into the PROTECT function next. In the meantime, if you are not sure or would like to discuss, please feel free to reach out to SEVN-X. Our goal is to help you Achieve Better Cybersecurity and we’re happy to help!
Previous Blog:
Cybersecurity Frameworks Series part 4, NIST Cybersecurity Framework 2.0: Govern
Next Blog:
Cybersecurity Frameworks Series part 6, NIST Cybersecurity Framework 2.0: Protect