Identify Function – 5 Keys to Increase Security

The Identify function is the first of five making up the NIST cybersecurity framework.  You can get a high level overview by reading our last blog post “Complete Cloud Technology Roadmap with 5 Functions“.

The Identify function focuses on elements that impact a business from different views.  This includes resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize based on a risk management strategy.  The strategy must align with business needs.

Five (5) functions to securing your business environment.  We provide more details how Microsoft 365 can assist and maximize your return on investment as a small business owner.  In this blog, we focus on the Identify Function.

Identify Function Overview

NIST cybersecurity framework defines these categories.  If you ignore anyone of these, the cost or risk may shutdown your business.  How many businesses today didn’t consider how a pandemic impacted their business?  Once you identify these key elements, you will understand how the other 4 functions apply to your business.

Five (5) key elements of the Identify Function are:  Asset Management, Business Environment, Governance, Risk Assessment, and Risk Management

Asset Management

The most important key are assets.  Businesses sell assets, others create assets or use assets.  So what are they?  Assets can be data, personnel, devices, systems, applications, or facilities that help an organization reach their goals and objectives.  These six elements play a key role in the asset management 0f the identify function:

• Physical Devices – Inventory any end user compute device as well as Internet of Things (IoT) devices.
• Software and Applications – Inventory all software and applications that are used for business use.
• Communication and Data Flow – Map and document the transmission of data both internally and externally.
• External Information – All external information systems are cataloged and identified.
• Resources – Prioritize based on classification, criticality, and business value.
• Cybersecurity Roles & Responsibilities – Establish roles and responsibilities for the entire workforce and third-party stakeholders.

Cloud Technology Strategy Thoughts

The size of your business will depend on what features and functionality of Microsoft cloud services best fits your organization.  For small business owners less than 300 employees, Microsoft 365 Business Premium includes many of these solutions.  In some cases there are limitations, however, as a small business owner, pay attention to the business value.  Businesses over 300 employees should consider Microsoft E3 or E5 licenses depending on their business needs.

Here are some of the solutions and links:

• Microsoft Endpoint Configuration Manager an integrated solution to manage all devices which includes Intune.  For some small businesses Intune will be all you need.
• Azure AD and/or Active Directory – Controls access to devices and data.  Also controls integrated Apps along with roles and responsibilities.
• IoT HUB helps you maintain the health of your solution by tracking events, failures and connections from industrial equipment to healthcare assets.
• Desktop Analytics provides insight and intelligence for you business to make informed decisions with apps working with Windows 10.
• Cloud App Security a broker that supports various deployment modes including log collection, API connectors and reverse proxy.

Business Environment

Your business mission, objectives, stakeholders and activities need to be understood and prioritized.  This information relates to cybersecurity roles, responsibilities and risk management decisions.

These five elements play a key role in the business environment of the identify function:

• Supply Chain – Your business role in the supply chain is clearly identified and communicated.
• Industry Sector – How does your business fit into todays critical infrastructure.
• Organization Priorities – The mission and objectives of your organization established.
• Critical Services – Know the dependencies and critical functions in order to deliver your critical services.
• Resilience Requirements – Understand what it takes to deliver critical services in difficult times.

Cloud Technology Strategy Thoughts

Overall, documentation and communication play a key role in supporting the business environment along with some technology.  The focus is your business mission, objectives, stakeholders and activities.

For business environments here are some of the cloud technologies we recommend using:

• Microsoft 365 – SharePoint and Stream to build an internal communication system about your business.
• Privileged Access – creating a privileged access plan will help isolate and protect critical services.
• Active Directory (AD) along with Azure AD – active directory design and implementation is the key to access and identity.

Governance

This key addresses policies, procedures and processes to manage and monitor your businesses regulatory, legal, risk, environmental and operational requirements.

• Information Security Policy – Your business establishes a security policy.
• Security Roles & Responsibilities – Information security roles and responsibilities are aligned with internal roles and external partners.
• Legal and Regulatory Requirements – Your business understands and manages cybersecurity privacy and civil liberty obligations
• Governance and Risk – Business management processes take into consideration cybersecurity risks.

Cloud Technology Strategy Thoughts

From a governance perspective, you need to know what your cloud provider controls or handles verses what your business is responsible for.  The following resources provide information and controls to help with governance:

• Microsoft Azure Shared Responsibility – Data, Endpoints, Account and Access Management will always be your responsibility.
• Microsoft Incident Response and Share Responsibility – Great blog to understand shared responsibility and security response.
• Microsoft Compliance Offering – Comprehensive compliance list to comply with national, regional, and industry-specific requirements.
• Cloud App Security – a Cloud Access Security Broker (CASB) operates on multiple clouds.
• Microsoft and General Data Protection Regulation (GDPR) – Good information on how Microsoft safeguards individual privacy rights.
• Privacy with Microsoft – Information on how Microsoft takes care of your data.
• Microsoft Cloud Services Risk/Vulnerability Assessment – Service to repeatedly monitor and assess the cloud environment.

Risk Assessment

The organization understand the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), business assets, and individuals.

• Asset Vulnerabilities – Document vulnerabilities that effect your business assets.
• Threat and Vulnerability Information – Understand and share information from sources containing threats and vulnerabilities.
• Threats Both Internal and External – Document vulnerabilities internally and externally that effect your business.
• Potential Business Impacts – Identify the impact of potential business impacts.
• Determined Risk – Identify the likelihood of potential business impacts.
• Risk Responses Prioritized – Identify risks and prioritize based on impact and likelihood.

Cloud Technology Strategy Thoughts

Other tools exist to determine your cloud technology or on-premise technology risk.  The list below provides some ways Microsoft makes it easier to identify your business risk.

• Vulnerability Assessment in Azure Security Center – An integrated vulnerability assessment solution for virtual machines.
• Microsoft Secure Score – A measurement solution built into the Microsoft cloud to provide a measurement of security posture.
• Active Directory On-Demand Assessment – Provides specific actionable guidance to mitigate risks in your Active Directory environment.
• Privileged Access Workstation (PAW) – A hardened and locked down workstation for high security situations.
• Microsoft Security Intelligence – Understand the breadth and depth Microsoft handles on a daily basis.
• Azure Security Center – Strengthen your business cloud security posture.
• Microsoft Threat Modeling Tool – Helps to find threats in the design phase of software projects.

Risk Management

Business priorities, constraints, risk tolerances and assumptions are established and used to support operational risk decisions.

• Risk Management Process – Business stakeholders need to establish, manage and agree on risk management processes.
• Risk Tolerance – Your business needs to understand the risk tolerance.
• Risk Tolerance to Critical Infrastructure – In the event your business is associated with critical infrastructure, establish your risk tolerance.

Cloud Technology Strategy Thoughts

Risk management really boils down to defining your tolerance to risk within your business as part of the identify function.  Again as mentioned above, Microsoft SharePoint can be used as a library for the documentation and training materials for your employees.  Microsoft does provide cloud tools and automation processes to help with this:

• Microsoft Cybersecurity and Threat Management – Microsoft provides automation and content detection tools.

Summary

These five key elements will help identify the most important assets in your business.

If you have any questions, please schedule a call or ask in the comments below…

Schedule Now