Scope & Define Identify Controls of NIST Cybersecurity Framework

by | Jul 10, 2020 | Blogs | 0 comments

When attempting to align your cybersecurity program with the NIST CSF framework it’s easy to get hung up and frustrated trying to figure out what the definitions mean, and how they apply to your cybersecurity program.

When you read the NIST CSF categories and subcategories it can be difficult to understand the scope, and hard to define the control capabilities. Without a clear understanding you won’t be able to measure. You’ll be prevented from effectively measuring what you currently have.

Without a clearly defined scope, the scope could be different every time you perform an assessment. This might cause you to get different scores. Or worse yet you could get the same maturity score even though you’ve invested a lot into maturing the program.

If an outside vendor comes in to perform an annual maturity assessment and doesn’t define the controls the same way you expected, your results can be way off. These deltas in scope can lead to results that indicate you’re not performing well or protecting the company effectively. It might lead to executives questioning if you’re doing a good job.

What is NIST CSF?

NIST is the leading cybersecurity framework being used today for many industries. The controls are organized into pillars. Each pillar is broken down further into control areas that list a set of individual controls that can be considered. These individual controls are referred to as subcategories.

I love NIST. It’s helped me endless times communicate the highly complicated world of cybersecurity into a language and scoring system that makes sense to executives and members of the board. It’s translates technology and process of security into a report card.

NIST is not meant to be a prescriptive set of controls.

It’s a framework to leverage and use. Other frameworks allow the opportunity to be more prescriptive. But NIST offers this framework (notice the word ‘frame’) to help see the big picture and provide a platform for individual companies to base their risk program on.

 There is freedom in aligning with NIST.

This means you can decide what controls are applicable to your organization and make sense for you based on the unique risk you have. This system for customizing the control set is referred to as a ‘profile’.  NIST provides instructions on how to create and customize a profile.

Each control should be considered for applicability. In addition, each control should be scoped for your business. Your organization should invest in defining the control capability.

Solution

Let’s walk through how to effectively leverage the NIST cybersecurity framework, specifically the identify pillar for your organization.

Step 1 – Create a Profile

Working on the ‘Identify’ pillar review each of the ‘Categories’ to determine if they are currently applicable to your program and risk posture. There are six categories within the Identify pillar;

  • Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy.
  • Business Environment (ID.BE): The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.
  • Governance (ID:GV): The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.
  • Risk Assessment (ID:RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.
  • Risk Management Strategy (ID.RM): The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
  • Supply Chain Risk Management (ID.SC):
  • The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support risk decisions associated with managing supply chain risk. The organization has established and implemented the processes to identify, assess and manage supply chain risks.

Keep the ones that make sense, and remove the categories that do not make sense for your organization to establish controls over at this time.  For example, I feel the Asset Management category is always applicable but I often see Risk Management Strategy withheld for a future time.

With the categories you’ve chosen to keep as part of your current framework, repeat this process for each of the individual ‘subcategories’ (or I like to call security controls). Determine if all the subcategories make sense (not from a definition stand point – but from an applicability stand point). For example, if you’ve determined to keep the ‘Asset Management’ category as part of your profile, then review each subcategory such as ID.AM-3 that is defined as, “Organization communication and data flows are mapped.” Remove any subcategories that you feel are not applicable or effective to measure your program against at this time.

Repeat this process for each of the five NIST CSF categories; Identify, Protect, Detect, Respond, and Recover.

You’ve successfully created your own unique NIST CSF profile to measure against.

Step 2 – Define Scope

In my experience, the lack of defining the scope has the largest negative impact on effectively measuring against the NIST CSF framework.

Scope the controls (subcategories) you have decided upon.

Defining the scope is going to greatly reduce the stress and confusion. Documenting the scope is going to provide a clear reference for everyone. When everyone knows what’s being asked, this process is going to go fast and efficient.

When people are expected to answer questions that they don’t understand they get frustrated. You’ve been there. That frustration creates a chasm in the relationship. That’s the exact opposite of what cybersecurity wants to be doing. We want to be building relationships.

Starting with physical device inventory (subcategory ID.AM-1), decide the scope. Here is a guide to help you below. Review each physical inventory group and decide if you want it in scope for ID.AM-1 at this time.

  • Company provided endpoints for employees
  • Company provided endpoints for contractors and/or consultants
  • Employee owned (BYOD) endpoints used on premises.
  • Company owned servers onsite
  • Non-company owned servers onsite
  • Company owned servers at vendor or partner locations
  • Non-company owned servers located at vendor or partner locations
  • IoT devices on company premises like HVAC and alarm systems.
  • Company owned servers at offsite data center.
  • Company owned networking infrastructure onsite
  • Company owned access badges
  • Company owned mobile devices
  • Company access devices (keys to building / elevators)

What physical devices and systems can you think of that I missed? Are you tracking physical inventory that is in scope for your ID.AM-1 subcategory? Add them in the comment section below so others can benefit.

Now review software platforms and applications (subcategory ID.AM-2)

Now that you’ve created a company specific inventory list for physical devices, repeat that process for software and applications. Here is a sample list for your review:

  • Endpoint operating systems
  • Server operating systems
  • Endpoint installed applications
  • Internal hosted applications
  • Cloud hosted vendor applications used (i.e. DropBox, SalesForce..)
  • Internally hosted databases
  • Cloud based databases
  • Open source software
  • Cloud based platforms (AWS, Azure, GCP)

What software platforms and applications have I missed? Add them to the comments below.

 

Review

Applying this effort to create a unique NIST CSF profile should result in a framework that is applicable to your business and makes sense when assessing the controls (subcategories). It takes time and effort on the front end to review and scope, but will pay dividends on the back end when performing assessments and a baseline of your current maturity.

Next Steps: Review capability maturity measurements

The next step is assessing your current maturity level by scoring each of the controls (subcategories) you’ve assigned to your profiles. We’ll cover this topic and walk through in another article (I’ve decided it’s out of scope for this article).

 

Conclusion

By applying these steps of creating a profile and defining scope of controls you will be better able to align your cybersecurity program with NIST CSF. You will more effectively and consistently measure the maturity of your cybersecurity program. You can equip outside assessors with your profile, and the scope of the controls to achieve unity in the process. Unity will result in greater score consistency.

By investing in this scoping and definition process you will benefit by seeing the increased maturity investments you’re making over time to your cybersecurity program.

 

Assistance

Asher Security specializes in helping Minnesota businesses improve their cybersecurity program through a service we call Program Development. Here we focus on one pillar of your security program to improve its overall health and strength.

If you’d like to learn more about our Program Development click the link below:

Asher Security: Program Development

Submit a Comment

7 Ways to Improve Your Cybersecurity Reporting to Executives and the Board of Directors

A guide for cybersecurity leaders that will help you gain the reputation of a solid leader, while preventing you from making the mistakes I made when I was projected into reporting. This guilde will equip you and remove the stress and anxiety so that you can be clear and bold in your opportunity to prove you're the right person for the role, and your plan is on track!

You have Successfully Subscribed!