NIST – Identifying What You Need to Protect
By James Laszko
In my previous article NIST – Achieving Alignment in Cybersecurity we discussed how the National Institute of Standards and Technology (NIST) created the Cybersecurity Framework (CSF) to give businesses foundational structure and common language to address their own individual security needs. We established that some form of cybersecurity posture is necessary to simply do business in today’s environment. As larger businesses invest heavily in cybersecurity, bad guys are turning their focus to small business as they are perceived as easier targets. The NIST CSF is comprised of five critical functions or best practices that are also referred to as the Framework Core. The Core is comprised of – Identify, Protect, Detect, Respond and Recover. In this article we will be discussing the foundational function of Identify.
The foundation of any good plan starts with identifying what needs to be protected and it’s important to note here that the bad guys are not always out for money or data. Cyberattacks have been launched for the purpose of revenge (think of a disgruntled former employee), simply for the fun of it, to gain access to your business partners or to launch attacks originated from your systems. Any system, people, asset, data or capability in your infrastructure must be identified in this step. The Identify function is broken up into the following five categories:
Asset Management – what stuff do you have – equipment, databases, resources, people, systems, etc.?
Business Environment – what’s your mission, objectives, stakeholders, business activities?
Governance – what are your policies, procedures, processes regarding regulatory responsibilities or requirements?
Risk Assessment – what is the risk to your mission, function, image or reputation if you are breached?
Risk Management Strategy – what are your priorities, constraints, risk tolerances?
By completing this foundational Identify step you will gain an understanding of your resources and the risk associated with them. With this information in hand you are now able to determine a course of action to protect what you’ve Identified. It’s not possible for your business to ever be completely secure, but there are cost and time effective ways to balance security and risk tolerance with the unique needs of your business. Now that your risks have been identified you’re ready to determine how you will Protect, which we’ll discuss in my next article.
Mythos Technology is an IT consulting and management firm that provides Managed Technology Services including hosted cloud and compliance solutions. For more information, please CONTACT US or call (951) 813-2672.