NIST CSF Overview: Identfy

In order to foster trust in our work Pythia Cyber uses the Cyber Security Framework (CSF) put out by the National Institute of Standards & Technology (NIST) when designing and implementing Cyber Security Programs. We are guided by the NIST CSF if those programs are the modest first steps of new or small organizations, or if those programs are formal, rigorous programs for mature, mid-sized organizations, or anywhere in between.

The NIST CSF mantra is simple: Identify, Protect, Detect, Respond, Recover. But this overview is also very abstract. So this blog post is one of a series to make these concepts a bit more concrete. There will be one blog post for each "pillar" as NIST calls them. This blog post is about Identify.

In a nutshell, the Identify step should result in a list of computer systems and data which are to be protected. Not simply a manifest of what one would, ideally, hope to protect, but a list of, specifically, what you are willing to protect given your time constraints, your budget constraints and your personnel.

(As part of our commitment to "real world consulting," we expect to end up with a list "Must Protect Now" list, a "Must Protect ASAP" list and a "Should Protect Someday" list. Because no one has all the time and money and experts that they could possibly need.)

To be on the Must Protect Now list means that an item is going to be protected, as best you can, as soon as possible (or is being protected already). We all agree that the organization has committed the time and money and personnel to this goal, which means that there should be no administrative hurdles to providing this protection. All that remains is execution (the Protect step) and monitoring of that protection (the Detect step) and, should any issue be detected, the Respond step (the short-term response to the issue) and Recover step (the long-term response to the issue).

By "we all agree" Pythia Cyber means that the executives have allocated the resources, the line managers have a plan and the rank-and-file are aware of the plan and executing that plan. This is why we work with all three of these groups: we do not consult only to the CISO or CTO or CIO. We are not only talking to the C-Suite. We are working at all levels. Direction comes from the top but change comes from the middle and happens at the bottom.

When we ask these different tiers of the organization to identify that which needs protecting, we understand that the perspectives are all going to differ, as well as the vocabulary and scope. We don't expect executives to name specific database systems as needing protection. We don't expect database administrators to talk about legal liability. There are always differing perspectives but our goal is a shared vision that allows everyone to do their part.

This is post describes pillar 1 of 5. Here links to the other posts: [1 2 3 4 5]