Our CISO 360 Cyber Risk Control intervention and diagnosis plan covers a series of controls allowing organizations of all sizes, regardless of their IT budget, to have a clear and neutral image of their security posture. This will allow them to prioritize their interventions and budgets according to the acceptable risks for the organization.
Did you know that it is possible to group cybersecurity controls under different themes or families of controls? NIST’s five functions (identify, protect, detect, respond, recover) are a great way to categorize topics in a logical and understandable way. As part of our cybersecurity guide for managers, for this second article we discuss the “Identify” function.
To set up an effective cybersecurity program, we must first know what we have to protect! This is the very essence of the “Identify” function. Understanding your organization’s information assets is the cornerstone of your cybersecurity program. Beyond knowing the assets to be protected, it is essential to know their impact on your organization: where is your sensitive data and personal information and what is its value for your organization? This will make it possible to prioritize efforts, both financial and human, on the strategy to be put in place. By prioritizing efforts, we will make sure to put the energy where it counts. We can also develop a response and succession plan that will be oriented on the level of acceptable risks for the organization.
As part of the first article “A CyberRisk control approach based on a financial control model”, I referred to the similarities between a financial control and a CyberRisk control. For example, an account charter is used to understand financial data and facilitates analysis according to a grouping of assets/liabilities that must be measurable. These elements of your charter will be management indicators throughout your operations. In a cybersecurity context, the “Identify” function is the equivalent that will allow you to know what to monitor and what is important for your organization.
What are the key elements of this function?
• Asset Management – Know all assets, such as data center, cloud environment, servers, network equipment, computers, data that is essential for your operations;
• Business environment – What are the operational use cases to execute your mission, and who are the stakeholders?
• Governance – Identify all policies and procedures to manage your risks according to regulatory, environmental, operational, and legal aspects;
• Risk Assessment – Assess operational risks and impacts to your organization in the event of systems unavailability. Categorize assets according to criticality;
• Risk Management Strategy – Policies and procedures for identifying risks, assessing them, and determining your tolerance.
A cybersecurity program must be dynamic. The “Identify” function must be scalable and adapt to changes in your organization. You must constantly remain vigilant and update this primary function of your cybersecurity program. For example, in terms of personal information and in compliance with the new Law 25 on the protection of personal information, it is important to know where the data comes from, its life cycles, and where this data is stored. The introduction of new business cases can change the life cycle of data, and then the data mapping must be updated to remain compliant with the law.
We frequently observe in our interventions with customers that organizations will favor penetration tests before setting up a coherent cybersecurity program. Indeed, the analysis of the inventory, the identification of the risks, and a prioritization according to the organizational criticality will make it possible to better define the efforts.
We recommend the definition of a program adapted to your organization in each of the five functions of cybersecurity. Essentially, the biggest risk facing organizations is not knowing what needs to be protected!
Our IT executive resourcesand cyber risk management have all the expertise to help you better understand your current cyber security posture. In addition, they will guide you on recommendations adapted to your organization.
If you want to react to this article or obtain more information, do not hesitate to contact Eficio.
All the articles in our folder can be read via the following links: