NIST CSF Series #2 – Identify: Asset Management

Identify Asset Management

Function:   Identify  (ID)
Category:  Asset Management  (AM)

“The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.”


ID.AM-1:  Physical devices and systems within the organization are inventoried  

ID.AM-2:  Software platforms and applications within the organization are inventoried.

These controls are often covered together as they look if the organization has developed and documents an inventory of information system components that reflect:

–  Current information systems;
–  Includes all components within the control of the organization and;
–  Is granular enough for tracking and reporting;
–  Components that are deemed necessary for effective accountability of information systems may include:
–  Hardware inventory specifics
–  Software license information
–  Software version numbers
–  Component owners and who is accountable for the information system (hardware and software)
–  Machine names and network addresses

This can be accomplished a number of different ways depending on the maturity, resources, and capabilities of the organization.   Inventories should be maintained in a manner reasonable to the organization’s capabilities.

In some cases, this might be done through a centralized system that inventories components automatically on a periodic basis from all information systems.  For organizations that cannot implement an automated and centralized inventory, this control might be done within a spreadsheet that is kept up to date manually as information systems are changed.

Audit Considerations

Auditors may request a copy of your current inventories and review it for scope, completeness, collection process, and frequency of review.

Applicable CIS Critical Controls:

CIS Control 1:   Inventory of Authorized & Unauthorized Devices

Without an understanding of what devices and data are connected, they cannot be defended.  The inventory process should be as comprehensive as possible, and scanners (both active and passive) that can detect devices are the place to start.  The initial goal of CIS Control 1 is not to prevent attackers from joining the network, as much as it is to understand what is on the network so it can be defended.

CIS Control 2:  Inventory of Authorized & Unauthorized Software

While an inventory of software is important, application whitelisting is a crucial part of this process, as it limits the ability to run applications to only those which are explicitly approved.  This often requires organization to reconsider their policies and culture – no longer will users be able to install software whenever and wherever they like.  While not a silver bullet, this CIS Control is often considered one of the most effective at preventing and detecting cyberattacks.

 


ID.AM-3:  Organizational communication and data flows are mapped.

This refers to the control of information as it travels within an information system and between information systems as opposed to WHO is allowed to access the information.  Understanding and documenting data types and how that data flows inside and outside your organization, the policies that govern that data flow, and how it is enforced is the intent of this control.

Organizations commonly employ boundary mechanisms such as firewalls, gateways, and routers, as well as employing configuration settings that restrict information services available on information systems.  The ability to block and/or alert based on policy fits within the enforcement mechanism here.

Audit Considerations

Auditors may want to see accurate and current diagrams that show organizational communication and data flow.  These can be data flow diagrams (DFD), logical network diagrams, and other type of diagrams that demonstrate a knowledge of how data flows inside and outside the organization.

Applicable CIS Critical Controls:

CIS Control 1:   Inventory of Authorized & Unauthorized Devices

Without an understanding of what devices and data are connected, they cannot be defended.  The inventory process should be as comprehensive as possible, and scanners (both active and passive) that can detect devices are the place to start.  The initial goal of CIS Control 1 is not to prevent attackers from joining the network, as much as it is to understand what is on the network, so it can be defended.

 


ID.AM-4:  External information systems are cataloged.

This control sub-category makes sure that the organization has established terms and conditions with outside organizations where information may be stored.   This could include personally owned information systems (smart phones, notebook computers, etc), or systems owned and/or controlled by external organizations such as “cloud” computing.

Audit Considerations

If the organization relies on information systems hosted by third parties, auditors may want to understand the scope of these external systems, controls surrounding sensitive information or use of information critical to the organization.


ID.AM-5:  Resources (e.g. hardware, devices, data, and software) are prioritized based on their classification, criticality, and business value.

Identifying business criticality of information systems is necessary not just in protecting data but in appropriate contingency planning efforts as well.  Categorizing information and information systems in accordance with applicable laws, classification standards, and ensuring appropriate reviews of the designation should be done.   A business impact analysis may be a component of this sub-category as identifying adverse impacts to information assets based on criticality is a key part of such an effort.

This should also extend to criticality of the supply chain in business continuity and disaster recovery planning.

Audit Considerations

Auditors may want to obtain a copy of the organization’s data classification standard or program and review documentation to determine if key resources are classified and prioritized based on criticality and value.

 


ID.AM-6:  Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g. suppliers, customers, partners) are established. 

The organization should define the roles and responsibilities for the cybersecurity function, the role of employees as well as contractors and consultants who may be access information and information systems.

These roles and responsibilities should be documented in policy and procedures.

Audit Considerations

Auditors may review organization cybersecurity policies, job descriptions, agreements, RACI charts, service level agreements, and/or contracts to determine if they include cybersecurity roles and responsibilities.