The National Institute of Standards and Technology was founded in 1901 and has become an important part of the U.S. Dept. of Commerce.
Early last decade, they released the first version of their Cybersecurity Framework.
This is a guide for organizations of all kinds on the ways and means to best achieve reliable and reproducible results in data security, with a special focus on cybersecurity governance for small businesses in Pennsylvania.
The initial framework put forth noteworthy advances in best practices for businesses to improve cybersecurity.
This year, NIST has released its long-awaited revision of the framework.
It is an improvement on the original in two important ways.
First, it expands the scope of the framework, allowing more organizations and more types of organizations to benefit from its guidelines, increasing the number of threats and threat types to be successfully mitigated over time.
Second, and perhaps most importantly, it incorporates a strong focus on cybersecurity governance.
By adding potent guidance on governance, NIST 2.0 makes reliable cybersecurity activities easier to implement and understand, and simpler to reproduce, and it makes actors at all levels of organizational authority able to make important contributions to the data security of the companies they represent.
Here, we will discuss the ways your small business can use the Identify function of the framework to generate useful assessments of the state of your cybersecurity policies and assets.
Identify Function Of the NIST Cybersecurity Framework
The “Identify” function in the NIST Framework plays a pivotal role in mapping out a custom-fit cybersecurity approach.
It offers a critical means for developing a functional awareness of people, systems, assets, capabilities, and data within an organization.
That is to say, it is a standardized method of assessing the risk profile and security capabilities of your small business.
Here are a few examples of capabilities you can expect to achieve through the Identify function as described by NIST.gov:
- Identifying hardware and software assets to establish an asset management program.
- Identifying the business environment, cybersecurity in the supply chain, and understanding your organization’s place within the infrastructure sector.
- Identifying policies established to define a governance program and identifying legal/regulatory requirements for the security capabilities of your organization.
- Identifying vulnerabilities, threats to resources, and risk mitigation activities as the basis for risk assessment.
- Outlining an optimal risk management strategy including the establishment of risk tolerances.
- Identifying supply chain risk management strategies including priorities, limitations, tolerances, and assumptions needed to support risk-related decisions associated with supply chains.
NIST’s Objectives For The “Identify” Function
The first goal of the Identify function is to provide guidelines for recognizing and understanding all technology assets that may be leveraged as part of your data security plan.
This includes physical devices and software.
Examples include portable data storage, antivirus programs, operating systems, power systems, and even physical security such as access-limited spaces in your facility.
The second goal is to help organizations comprehend where they stand within the broader infrastructure.
That is to say, how your organization’s data security profile sits within the power grid and how it relates to the assets of your neighbors, partners, and those you serve.
Third, the Identify function aims to outline the existing and potential data security policies that would be optimal for a specific business entity.
It is largely focused on regulatory compliance.
The next goal of NIST 2.0 is to identify assets that are vulnerable and assets that create vulnerabilities.
Using this level of understanding, companies can decide whether to eliminate threat vectors that cannot be justified and harden the security of those that are not disposable.
Finally, the framework aims to help small businesses develop a risk management strategy to secure the supply chain, set security priorities, outline constraints, understand existing assumptions, and define risk tolerances.
Knowing Your Assets According To NIST
Understanding the assets of an organization as they relate to and support cybersecurity is the first goal of the Identify function.
Relevant assets include hardware and software as mentioned above.
They also include data itself, personnel, systems, and facilities.
These and other assets should be assessed in so far as they enable the organization to achieve business functions and either introduce or limit data vulnerabilities.
Under the framework, they should be identified and managed in a manner that is consistent with their relevance to business objectives and risk strategy.
Personnel, for example, are the most important asset you have.
They can directly and indirectly affect data security.
They can maintain best practices regarding authorization data, monitoring security software, managing networks, and so on.
They can also fall prey to social engineering data attacks such as attempts to get an employee to reveal passwords or to relinquish control of critical devices.
They can click on links in malicious emails and inadvertently download malware, or they can spot and avoid them.
Your team’s skill in avoiding risky behavior and their ability to mitigate risk will make up your assessment of their strength as a discrete cybersecurity asset.
The NIST Identify function will guide you in outlining the cybersecurity profile of all of your business assets, to look at them both individually and as a whole for a complete asset-risk profile.
A NIST-Guided Approach To Risk Management For Small Business
The Identify role of the framework is, first and foremost, about understanding, organizing, prioritizing, and finally optimally implementing assets.
This is the first goal of the framework because identifying threats is the most important first move in mitigating risks.
The Identify role is about setting up your cybersecurity assets in such a way as to identify threats.
After all, the entire point of the framework is to reduce risk by optimizing your ability to respond to it.
Once we have understood and arranged our cybersecurity assets, the next step is to use them effectively.
Determine Data Value
Take a look at each data asset you have.
Decide which are more essential to your productivity processes and which would mean the greatest harm should they be compromised.
This is often customer data, but it could also be patent information, research and development, trade secrets, and so on.
Decide which of the above assets is most important to you.
Which can you afford to lose least and which would be the least disruptive if lost and assign assets to their protection in that order.
Next, know what kinds of attacks are most likely to be aimed at which assets.
A good way to start is to look at common cyber attacks directed at businesses in your industry, your business model type, and your risk profile.
There is a lot of overlap between threats and risks, but they are not the same thing.
A risk is more general. A threat, conversely, is more like a specific attack type.
These are specific viruses known to be in circulation at a given time.
They are specific types of cultural attacks, ransom techniques, pieces of malware, and so on.
Analyze and Implement New Controls
Now that you have a view of your risks and likely threats, you can put your assets into position to defend against them.
Perhaps more importantly, you can acquire new assets designed to cover specific vulnerabilities.
Determine the Potential Cost of Losses
Having come this far, we can take another look at the cost of potential losses.
This is a good time to cover this ground again because we should have a better idea of what a specific type of successful attack could do to your organization.
Prioritize Loss Prevention
Here, we backtrack again and re-organize loss prevention priorities.
This type of assessment procedure is decidedly thorough, taking multiple passes over the unknowns of our cybersecurity tool sets, strengthening and restrengthening them methodically.
Finally, we need to make detailed records of our results and what we have learned.
The more you go through this procedure, the more prepared you will be for subsequent threats.
Over time, the value of this kind of security curation will grow exponentially.
Linking “Identify” And “Govern” Functions Of The NIST Framework
Not surprisingly, the various functions of the framework build on each other and work together.
The Govern function, for example, is about setting priorities, establishing policies, and building a security culture.
Without the Identify function firmly in place, this would not be possible.
The Identify function gives us the sensory apparatus we need to govern, make decisions, and navigate the world of cybersecurity effectively.
Improving Cybersecurity Policies And Procedures In Your Small Business
The Identify function not only gives us the ability to understand our cybersecurity assets and risks, but it also gives us the foresight we need to make good policy writing decisions.
Further, it gives us the necessary perception to design procedures through which we can effectively implement good policies.
After all, a policy that is badly enforced may as well have never been drafted.
NIST’s Special Consideration For Small Businesses
Looking at the ways that the various functions of the 2.0 NIST framework interlock and support each other, we can intuit just how much work went into its design.
This is why it took the better part of a decade to produce.
Part of the goal of the designers was to deliver the best possible results for small businesses.
As you can imagine, this was a delicate balancing act.
The result is a nearly perfect way for SMBs to protect their customers, clients, shareholders, and themselves.
It is truly elegant, and small businesses like yours that use it as recommended are already seeing the benefits.
Conclusion: Leveraging “Identify” As A Stepping Stone In NIST’s Framework
By now you can see why developing the Identify function is a priority.
Doing so sets us up to develop the rest of the framework’s capabilities in a way that is ideal for the needs of a unique business.
We are certain that as you move through the functions as steps to implementing the framework, you’ll see its power and elegance for yourself.