In last week’s email, we talked about what the NIST Cybersecurity Framework was, how it would help your district manage its Cyber Risk, and its alignment with Ed Law 2-d. Just as a reminder, there are five high-level categories that help organize the NIST CSF:
Today we will discuss the NIST “IDENTIFY” category.
You need to understand specifically for your district, what are the most important systems, data, and people, what risks can threaten those things, and what you need to do about them. Some examples from NIST are:
- Identifying physical and software assets within the organization to establish the basis of an Asset Management program
- Identifying the Business Environment the organization supports including the organization's role in the supply chain and the organization's place in the critical infrastructure sector
- Identifying cybersecurity policies established within the organization to define the Governance program as well as identifying legal and regulatory requirements regarding the cybersecurity capabilities of the organization
- Identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities as a basis for the organization's Risk Assessment
- Identifying a Risk Management Strategy for the organization including establishing risk tolerances
- Identifying a Supply Chain Risk Management strategy including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks
Breaking it down into specific areas:
Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy
Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
Supply Chain Risk Management (ID.SC): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.
As you can see there is a lot to identify and document but remember that this is a process. The important thing is to start.
In next week’s bulletin, we will explore the second category - PROTECT
This week’s suggestion:
Action item #1 - Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.
Action item #2 - Ensure that unauthorized assets are either removed from the network, quarantined, or the inventory is updated in a timely manner.
Almost all of you are already performing most of these steps, perhaps just for essential asset management or insurance purposes. But having a complete listing of what devices your organization owns or manages, including identifying information like device MAC addresses, is a critical foundational step in your cybersecurity roadmap. And remember, proper hardware inventory control includes having processes in place for adds, moves, and deletions in that inventory database.
As your cybersecurity processes mature, this database will eventually become an essential part of the input into your Network Access Control system, determining which networks and resources a device is allowed to reach and whether it's considered internal, public, etc.
So, take a moment to evaluate how accurate and complete your district's hardware inventory and update process are. If corrections are needed, start now, as this information will be built on later in the process as you continue your journey toward NIST compliance.
If you would like to learn more before next week and haven’t already done so, please ask for a copy of our free report “The Changing Face of Cyber Risk Today”. We are also happy to speak with you, just contact Lisa MacDougall (firstname.lastname@example.org) or 845.897.9480.