Why You Should Focus Your Q1 Activities on the “Identify” NIST CSF Category

Why You Should Focus Your Q1 Activities on the “Identify” NIST CSF Category

“You don’t know what you don’t know.” A simple phrase I’ve heard many times in passing that has resonated with me more and more deeply over the years. I tend to complement this with my professional motto, “Everything is figure-out-able”. This can apply to everything, from life skills and relationships to learning and the workplace.

When preparing for a professional certification exam, I fight procrastination and test anxiety by making my number one goal to figure out what I don’t know because once Identified, it becomes figure-out-able.  

As I’ve ventured further into my career, I’ve learned that Identifying weaknesses, vulnerabilities, and areas for improvement is much more critical to the success of your cybersecurity than focusing on select strengths. We can leave focusing on the highlights to our marketing teams 😉 

The most stressful moments in cybersecurity come from those dreaded moments of uncertainty or of discovering that your assumptions were incorrect.  

  • “We used to use that vendor who’s in the news for a security breach, but we don’t use them anymore. We made sure to remove any APIs and disable service principals, especially ones with Global Administrator permissions, right?” 
  • “One of our executives is having some weird issues with their computer – can the security team scan it with our Antivirus/Endpoint Detection & Response tool? Surely the executive cooperated with one of their requests for a meeting to get it installed on the new computer, right?” 
  • “I just got notified of an unusual login, but that doesn’t make sense. We have MFA enabled AND enforced, right?” 
  • “We have a disgruntled employee posing an insider risk; we have documentation on any systems they might have administrative permissions to, right?” 

These are just a few of the uncomfortable questions that might occur when your organization hasn’t spent time reviewing controls such as the ones in the Identify category of the NIST CSF. 

At Edge Networks, we often spend at least 40% of our time on the Identify category when performing NIST CSF assessments for clients with limited technical bandwidth or who are new to compliance. This is because even the best Protection, Detection, Response, and Recovery capabilities in the world can’t help you effectively if you don’t have the following Identify controls in place. 

ID.AM: Asset Management 

Inventory and document your physical assets, software and application assets, and external information systems. Evaluate and document the priority of all assets (people, software, hardware, data) depending on their classification and how critical they are. Establish cybersecurity roles and responsibilities for employees, suppliers, customers, and partners. 

Even if you can’t make it a continuous process, identifying this information twice a year will move you forward in your maturity score and give you a solid reference in case of an incident or disaster. This can help you save money in the event of a disaster or loss if you have a documented list to provide to insurance and help you figure out what needs to happen first in case of an incident. It’ll help ensure that all your hard work in implementing the Protect and Detect controls is effective. Identifying this information can also give you peace of mind knowing that if you see a vendor in the news for a security breach, you can verify whether you still use them and, therefore, whether you need to act. Employees will know who is designated to act in case of a cybersecurity event, and suppliers will understand your cybersecurity standards and their role in them. 

The hardest part is getting started. That first draft makes each subsequent draft faster and easier. This is usually the biggest chunk of Identify, so don’t get discouraged by how much time it might take; the rest of the NIST CSF implementation will go much faster. 

ID.BE: Business Environment 

Identify your organization’s role in the supply chain, as well as critical infrastructure and industry sector (if applicable). Ensure there is a mission statement in place and distributed. Identify what it would take for your organization to deliver critical services, including during normal operations, under duress/attack, and recovery. 

This will ensure that if your organization is part of a thriving ecosystem that operates under dependencies between you and other organizations, you’ll know who needs to be called or prepare your organization if another competitor goes down, leaving a delivery gap for you to fill. During attacks, it’s common to have panic and uncertainty around what you can afford to take offline and who it will affect, but this control provides a tentative guide to reference. 

ID.GV: Governance 

What do you want your employees to know about cybersecurity? Well, your organization’s cybersecurity policy is your chance to tell them. This can include things like your company’s stance on the usage of ChatGPT, locking their device before walking away, not connecting to public WiFi without using a VPN, and so much more. Your identified cybersecurity roles and responsibilities should also align with internal roles, e.g., your junior analyst likely should not be the lead point of contact during Incidents. 

Most importantly, this subcategory is all about understanding your legal and regulatory cybersecurity requirements. We typically begin by asking our customers to identify and document all states and countries in which they do business. This will allow us to identify reporting requirements to help you comply with requirements such as NYDFS, CCPA, and GDPR to achieve and maintain compliance (and avoid fines). 

ID.RA: Risk Assessment 

This subcategory ties back heavily to our introduction: “You don’t know what you don’t know.” By documenting vulnerabilities and threats, signing up for threat intelligence feeds, performing a risk assessment, and identifying which risks need to take priority in case of coinciding risk events, your organization will be in a much better position to work on improving your security posture. This is often when we would do a gap assessment to identify and document your vulnerabilities and threats. As a cybersecurity professional, I want to hear every story about every disgruntled employee from the past, every case of executives experiencing identity fraud issues, and every case of previous malware infections.  

All this relevant information helps paint a clear picture of what you’re up against and gives crucial context to activity that may be slightly odd but otherwise assumed okay. The most common resources I recommend for threat intelligence sources are CISA, MS-ISAC, and Bleeping Computer (for digestible, interesting, and current cybersecurity news). 

ID.RM: Risk Management 

Winding down, this one is a bit of a breather. Establish how you perform risk assessments and what your organizational risk tolerance is. Maybe you’re cloud-based with backups in place, you don’t store any PII, and you have very flexible deadlines for delivery within your organization. The attention and energy you give your risk management will look vastly different than a financial consulting organization with PII, eDiscovery needs, and Data Loss Prevention concerns. 

ID.SC: Supply Chain 

We all want to believe that all our vendors do what they do extremely well and put just as much of an emphasis on their physical and cybersecurity as they do on their product/service sales and delivery…right? As countless breaches in the news have shown us, this isn’t always as true as we’d like to believe.  

Since we at Edge Networks have gotten our beginnings with small-mid-size companies, we don’t expect all of your suppliers or vendors to have their SOC2 certification ready for display, but having a vendor inventory and doing your due diligence is a must. We usually start by uploading all of your vendors into our Managed GRC platform, EdgeGRC, and work with you on requesting SOC 2 and/or ISO27001 compliance reports from each vendor, as well as document whether the vendor accesses any of your PII/PHI, any contracts/SLAs, and perhaps most frequently appreciated, your contact at the vendor/supplier. By doing this, you have an easy place to check to understand which vendors you’re currently using, what exactly they’re responsible for, how mature their cybersecurity posture is, and email them risk questionnaires periodically to ensure a smooth, hassle-free due diligence process. The last control of this subcategory specifies that you plan and test response and recovery activities with your suppliers and third-party providers.  

In practice, this typically starts with testing your backup system to ensure you know how to restore the data in case of an emergency or working with your MSSP (😉) to conduct a TableTop exercise to ensure your appropriate contacts answer, are able to get you the information needed upon request, and get you back up and running in no time. This information can be used to update the risk assessment and paint a clearer picture of how long things would actually take to recover from. 

Let Edge Help with NIST CSF

The Identify category of NIST CSF accounts for 29 out of 108 controls, 2nd only to the Prevent category. If that felt like a lot, it’s because it is! Edge Networks specializes in helping companies like yours conduct NIST CSF assessments to align with cybersecurity best practices and empower you with the information you need to respond effectively and efficiently to cybersecurity concerns. Contact us today to get started.