NIST CSF Overview: Identify

This blog post is about Identify, one of five "pillars" of the NIST CSF. This blog post is one of a series of posts, one per pillar.

Here links to the other posts in this series: (Identify) Protect Detect Respond Recover.

What is the NIST CSF and why does Pythia Cyber use it? The NIST CSF is the cybersecurity Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing a custom Cybersecurity Program (CSP). Pythia Cyber is guided by the NIST CSF for programs that are the modest first steps of new or small organizations, for programs that are formal, rigorous programs for mature, mid-sized organizations, and for programs anywhere in between.

The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete.

The Identify pillar identifies cyber assets (just “asset” henceforth) which are on the "Must Protect Now" list. We recommend that, as you go along, you keep a "Must Protect ASAP" list and a "Should Protect Someday" list. Why isn’t there a single Asset List? Because no one has all the time and money and experts that they could possibly need to protect anything and everything of value to their organization.

What is an asset in this context? An asset has to meet all of these requirements:

1. An asset is “critical” by which we mean its absence would severely limit operations (It can be tricky to distinguish “assets” from “controls”: see the “Protect” post.)
2. An asset is “cyber” by which we mean that it is a computer system or computer data
3. An asset is “feasible” by which we mean you have the resources to protect it

Your list cannot be too long, or you won’t actually do the work to protect those assets. Your list should not be too short, or you won’t actually be safe. Think of your Must Protect Now list as a safe deposit box: only some objects physically fit into the box: choose wisely. Your choices should change over time: if you no longer own a car, you take the deed out of your safe deposit box.

Every asset has risks associated with it. In fact, there are a vast number of hypothetical risks and that vastness can be paralyzing. As part of Identify, for each critical asset, we recommend that you identify the risks to that asset that you deem worth mitigating. How do you choose? We use this rule of thumb: you choose risks so severe that you cannot ignore them and risks so likely that you cannot ignore them. An example of the former is the seat belt in cars: we wear seat belts not because it is likely that we will need them but because needing them and not having them would be catastrophic. An example of the latter is keeping a sweater in the office: people often do that not because being a bit chilly at work is so awful but because overactive A/C in office buildings is so very, very likely.

The path to greater cyber safety starts with the Identify pillar. Pythia Cyber can help you start where you are, to set reasonable goals and then to build a program that will achieve those goals. You can be safer and we can show you how.