This is the first in a recurring series that explores the functions, categories and subcategories of the National Institute of Standards & Technology (NIST) cybersecurity framework. *This article first appeared in Security Magazine.
How the Framework Works
NIST divides cybersecurity risk management into the following five functions: identify, protect, detect, respond and recover. In NIST-speak, a function is a high level activity that expresses your company’s ability to organize relevant information to enable risk management decisions; to discover and address threats, vulnerabilities and their consequences; or to improve risk mitigation processes over time. Each of NIST’s five functions is broken down into categories, which express intended outcomes, and subcategories, which express the most common actions organizations can take to help achieve each outcome.
Cover Your Assets
NIST defines the category of asset management broadly to refer to an organization’s ability to identify and manage its “data, personnel, devices, systems, and facilities” and to do so “consistent with their relative importance to business objectives and the organization’s risk strategy.”
It is the last part of NIST’s definition that demonstrates the fundamental principle of all security risk management, to include asset management. In order to be both effective at reducing the most significant business risks and efficient in using corporate resources, a practical cybersecurity strategy requires two things: first, that business leaders actively become informed about the potential impact on their corporate goals of failures relating to confidentiality, integrity and availability of data and systems; and, second, that the same fully informed business leaders then exercise sound discretion to implement security controls consistent with their company’s specific risk profile.
To begin companies should evaluate whether they have in place, or should put in place, the following capabilities:
identify and track the technology assets the business relies upon;
determine who owns each technology asset and who is responsible for physically and digitally securing it (including installing critical security updates and upgrades);
adopt and enforce an acceptable use policy for technology assets; and,
adopt and enforce a life-cycle plan that includes support for, and retirement of, IT assets.
SAM, I Am
NIST points out that companies would do well to consider taking inventory of the physical devices and systems within the organization. These processes commonly are referred to as Hardware Asset Management, or HAM, and Network Asset Management, or NAM. Companies also should take inventory of the software platforms and applications within the organization. This process commonly is referred to as Software Asset Management, or SAM. Adding even more rhyming acronyms to the mix, these methods collectively fall under the broad category of Information Technology Asset Management (ITAM), or simply Technology Asset Management (TAM). Yes, TAM is SAM with HAM and NAM, but at least none of this involves green eggs.
Get Your Priorities Straight
Armed with the knowledge of what hardware, software and systems your company has, NIST recommends a prioritization of resources and data “based on their classification, criticality, and business value.” The most significant data and assets might then be categorized for greater security scrutiny that accounts for the potential harm that a loss of confidentiality, integrity or availability likely would cause to the business itself or to hapless third parties. Companies also should consider cataloguing and prioritizing the information systems that are external to the organization but significantly relied upon by it, for example cloud-based services.
Data with Destiny
Companies also should consider mapping the flow of corporate information and aligning that flow with an adequate information security architecture. Dozens of questions may present themselves during this stage, to include whether your organization has assigned security attributes to its sensitive data (such as corporate confidential, client confidential, export controlled, etc.) and, if so, whether those policies are backed up by technical controls to restrict the movement of controlled data across internal and external assets; whether sensitive data is encrypted while in transit and at rest; whether all data and the metadata associated with it are subject to filtering and inspection; whether sensitive information is being transferred between networks with different security attributes; and whether controls exist to authorize or prohibit laptop, desktop, or server connections with peripheral devices (printers), removable media (thumb drives), and mobile devices (employee-owned smartphones).
Role with IT
Finally, the NIST framework includes setting cybersecurity roles and responsibilities that extend well beyond the IT security staff to encompass the entire workforce and all third party suppliers, customers and business partners. Examples include establishing personnel security requirements for employees and those vendors with access to corporate assets; providing role-based IT security training; and establishing contingency plans should high-impact assets be rendered insecure, untrustworthy or otherwise unavailable.
NIST lists asset management as the very first outcome anticipated by its cybersecurity framework. Whether that ranking was by choice or by chance, it certainly is hard to argue against the logic that it’s hard to secure something you don’t manage, it’s hard to manage something that you don’t know exists, and it’s hardly worth your while to do either if you don’t know it’s important.