Identify Function - 5 Keys to Increase Security

Identify Function – 5 Keys to Increase Security

The Identify function is the first of five making up the NIST cybersecurity framework.  You can get a high level overview by reading our last blog post “Complete Cloud Technology Roadmap with 5 Functions“.

The Identify function focuses on elements that impact a business from different views.  This includes resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize based on a risk management strategy.  The strategy must align with business needs.

Five (5) functions to securing your business environment.  We provide more details how Microsoft 365 can assist and maximize your return on investment as a small business owner.  In this blog, we focus on the Identify Function.

Identify Function Overview

NIST cybersecurity framework defines these categories.  If you ignore anyone of these, the cost or risk may shutdown your business.  How many businesses today didn’t consider how a pandemic impacted their business?  Once you identify these key elements, you will understand how the other 4 functions apply to your business.

Five (5) key elements of the Identify Function are:  Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management

Identify Function - Asset Management
Identify Function – Asset Management

Asset Management

The most important key are assets.  Businesses sell assets, others create assets or use assets.  So what are they?  Assets can be data, personnel, devices, systems, applications, or facilities that help an organization reach their goals and objectives.  These six elements play a key role in the asset management 0f the identify function:

  • Physical Devices – Inventory any end user compute device as well as Internet of Things (IoT) devices.
  • Software and Applications – Inventory all software and applications that are used for business use.
  • Communication and Data Flow – Map and document the transmission of data both internally and externally.
  • External Information – All external information systems are cataloged and identified.
  • Resources – Prioritize based on classification, criticality, and business value.
  • Cybersecurity Roles & Responsibilities – Establish roles and responsibilities for the entire workforce and third-party stakeholders.

Cloud Technology Strategy Thoughts

The size of your business will depend on what features and functionality of Microsoft cloud services best fits your organization.  For small business owners less than 300 employees, Microsoft 365 Business Premium includes many of these solutions.  In some cases there are limitations, however, as a small business owner, pay attention to the business value.  Businesses over 300 employees should consider Microsoft E3 or E5 licenses depending on their business needs.

Here are some of the solutions and links:

  • Microsoft Endpoint Configuration Manager an integrated solution to manage all devices which includes Intune.  For some small businesses Intune will be all you need.
  • Azure AD and/or Active Directory – Controls access to devices and data.  Also controls integrated Apps along with roles and responsibilities.
  • IoT HUB helps you maintain the health of your solution by tracking events, failures and connections from industrial equipment to healthcare assets.
  • Desktop Analytics provides insight and intelligence for you business to make informed decisions with apps working with Windows 10.
  • Cloud App Security a broker that supports various deployment modes including log collection, API connectors and reverse proxy.
Identify Function - Business Environment
Identify Function – Business Environment

Business Environment

Your business mission, objectives, stakeholders and activities need to be understood and prioritized.  This information relates to cybersecurity roles, responsibilities and risk management decisions.

These five elements play a key role in the business environment of the identify function:

  • Supply Chain – Your business role in the supply chain is clearly identified and communicated.
  • Industry Sector – How does your business fit into todays critical infrastructure.
  • Organization Priorities – The mission and objectives of your organization established.
  • Critical Services – Know the dependencies and critical functions in order to deliver your critical services.
  • Resilience Requirements – Understand what it takes to deliver critical services in difficult times.

Cloud Technology Strategy Thoughts

Overall, documentation and communication play a key role in supporting the business environment along with some technology.  The focus is your business mission, objectives, stakeholders and activities.

For business environments here are some of the cloud technologies we recommend using:

Identify Function - Governance
Identify Function – Governance

Governance

This key addresses policies, procedures and processes to manage and monitor your businesses regulatory, legal, risk, environmental and operational requirements.

  • Information Security Policy – Your business establishes a security policy.
  • Security Roles & Responsibilities – Information security roles and responsibilities are aligned with internal roles and external partners.
  • Legal and Regulatory Requirements – Your business understands and manages cybersecurity privacy and civil liberty obligations
  • Governance and Risk – Business management processes take into consideration cybersecurity risks.

Cloud Technology Strategy Thoughts

From a governance perspective, you need to know what your cloud provider controls or handles verses what your business is responsible for.  The following resources provide information and controls to help with governance:

Identify Function - Risk Assessment
Identify Function – Risk Assessment

Risk Assessment

The organization understand the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), business assets, and individuals.

  • Asset Vulnerabilities – Document vulnerabilities that effect your business assets.
  • Threat and Vulnerability Information – Understand and share information from sources containing threats and vulnerabilities.
  • Threats Both Internal and External – Document vulnerabilities internally and externally that effect your business.
  • Potential Business Impacts – Identify the impact of potential business impacts.
  • Determined Risk – Identify the likelihood of potential business impacts.
  • Risk Responses Prioritized – Identify risks and prioritize based on impact and likelihood.

Cloud Technology Strategy Thoughts

Other tools exist to determine your cloud technology or on-premise technology risk.  The list below provides some ways Microsoft makes it easier to identify your business risk.

Identify Function - Risk Management
Identify Function – Risk Management

Risk Management

Business priorities, constraints, risk tolerances and assumptions are established and used to support operational risk decisions.

  • Risk Management Process – Business stakeholders need to establish, manage and agree on risk management processes.
  • Risk Tolerance – Your business needs to understand the risk tolerance.
  • Risk Tolerance to Critical Infrastructure – In the event your business is associated with critical infrastructure, establish your risk tolerance.

Cloud Technology Strategy Thoughts

Risk management really boils down to defining your tolerance to risk within your business as part of the identify function.  Again as mentioned above, Microsoft SharePoint can be used as a library for the documentation and training materials for your employees.  Microsoft does provide cloud tools and automation processes to help with this:

Summary

These five key elements will help identify the most important assets in your business.

If you have any questions, please schedule a call or ask in the comments below…

Schedule Now