Cybersecurity: Improve the Identify Pillar of Your Program

Traction requires clarity.

The overwhelming weight of attempting to improve the whole cybersecurity program often results in a lot of action and business without progress.

One of the greatest ways to get traction on security program improvement is by aligning with an industry accepted security framework. My favorite is NIST. Then assess your program against the organized control system. The result is a quantitative measurement of your current strengths and weaknesses.

NIST Cybersecurity framework is organized into five pillars. The five pillars are:

• Identify
• Protect
• Detect
• Respond
• Recover

 

Starting Point: Assessment

An assessment is the best way to get started. It gives you a baseline. This is your starting point that all future efforts and investments can be measured against. It also facilitates the early conversations with business leaders about the destination. Destination of a cybersecurity program is referred to as risk appetite. It ultimately answers the question, “Where do we want to go?” Asked another way, “When are we secure enough?”

Risk Appetite: The level of risk an organization is prepared to accept.

With this goal agreed upon with senior business leaders a course can be set. The starting point is your assessment. The destination is maturing the security program to meet the risk appetite.

 

Identify

The first pillar of the NIST cybersecurity framework is the perfect place to begin. Not only is it the first pillar listed, it strategically makes the most sense to start with. That’s because you need to know what you have before you can secure it. Starting a maturity process without this step will leave you exposed and prevent you from accurately determining a risk level.

NIST defines this function as, “Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities”.

As you can see, this is a foundational place to start.

The NIST Identify pillar is organized into six categories:

1. Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
2. Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
3. Governance (ID.GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
4. Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
5. Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
6. “Supply Chain Risk Management (ID.SC):
7. The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.”

 

Asset Management (ID.AM)

Starting with asset management will allow you to get visibility on the assets the organization has. It will drive an improved process to document these assets into an organized system. From there you can build a standard operating procedure to ensure the assets are updated regularly.

NIST is a framework that allows organization to customize the controls to their unique needs. That means you can define the scope of asset management (ID.AM) for your specific organization.

At a basic level attempt to document all the computer systems including servers and endpoints that the business owns. Start with a simple list managed in a spreadsheet or similar solution. No need to make this complicated to begin with. The goal is an accurate and up-to-date inventory list of assets the company manages.

TIP: Keep it simple.

The more difficult the process, the less likely you will be successful. Adoption is a key part of any new process within an organization. By keeping it simple, it ensures that awareness of the new process is adopted by employees. Changes can be made later that consider feedback from system users on how to improve.

 

Inventory

Many businesses struggle with the inventory management of the companies’ devices and software. Don’t decided to skip this step. When organizations move on to other control without getting this one correct, you jeopardize the accuracy of the security reporting. You end up managing security on the assets you know about and projecting a sense of security. Meanwhile the assets that are unknown are leaving vulnerabilities to the business and susceptible to exploits. This gives leadership a false sense of security.

Simplify

One simple way to improve the Identify pillar of your security program is by creating specific inventory lists. By defining the scope of an inventory list to a specific asset, you can gain clarity and better vet out and discover assets that belong on that list.

Start with company owned user endpoints. Generate a list of from your user directory of all the users in your organization. Work with technology leaders to understand how many endpoints users are provisioned. Discover what naming convention is used for the hostnames of user endpoint devices. Then work with technology to create an organization structure for user endpoints. Finally, generate a list by exporting from AD or another directory. Then search the structure for any other devices matching the naming convention but not in the folder. For integrity, review the list with technology to ensure you have it correct and all the assets you’ve identified are accurate.

Source of Truth

Document your list of company owned endpoint devices in a separate source of truth. This can be an online application, or a simple text document (I prefer a spreadsheet). Create a date field to document when the list was generated. Then set a recurring date on the calendar to repeat the process. Compare the new list you generate against the previous list. This will give you a list of new user endpoints that did not exist last time. Review this list of deltas to identify any rouge assets that have not been approved or provisioned by technology.

 

Document: SOP

Once you’ve run through this process several times, document it. Review your process and then get it approved by the appropriate leadership as the ‘Asset Management – Standard Operating Procedure’. Update as necessary. This can be used as evidence to auditors you have a mature ‘Identify’ pillar to your cybersecurity program.

 

Scope: Expand

Once you feel confident you have a good list and process around the inventory of company owned user endpoints, expand your scope to include another type of asset. I recommend company owned servers.

Company owned servers are critical because they are where the majority of sensitive and confidential company data exists. Repeat the process you created with company owned user endpoints and mature this inventory list the same way.

Once you have a good list of company servers export this list (in a secure way) and ensure all the assets are a part of your cybersecurity practices. Those practices might include;

• Secure hardening standards
• Endpoint protection software installed
• Included in schedule patch management program
• Forwarding logs to SIEM
• User access reviews
• User Entitlement reviews
• Firewall policies applied

Review other asset management areas.

These areas could be;

• Company owned servers offsite / data centers
• Company owned mobile devices
• Users accounts / service accounts

TIP:  Service Accounts

Service account with administrative access or privileges to data repositories with confidential or sensitive information should be kept track of as part of a mature asset management process. Often these accounts will not require a regular password change. In addition, I’ve discovered through my security assessments that often times developers will have been provided the credentials to these service accounts at one point. Even if you trust all your employees, job changes and role changes still take place and it’s a good security practice to have a list of service accounts.

 

Conclusion

Hopefully this article gave you some solid ways to improve the Identify pillar of your cybersecurity program. It can sometimes feel overwhelming getting started with asset management. It can feel even more intimidating trying to align with the NIST CSF. But taking one pillar at a time, and breaking it down into controls that you can address can be a catalyst to getting your program to the next level. Start simple, document the process, and then improve.

We specialize in helping Minnesota businesses improve their cybersecurity programs. One service we offer is our Program Development. This focuses in on driving quick improvements to areas like the NIST CSF Identify pillar and its controls. Because we’ve worked with such a wide range of clients, we can quickly apply our expertise to drive your program forward without wasted time, money and energy. If you’d like to learn more give us a call or click the Program Development button below to learn more.