Function: Identify (ID)
Category: Business Environment (BE)
“The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform cybersecurity roles, responsibilities, and risk management decisions.”
Many of the subcategories can be tied into a well-developed business continuity and disaster recovery plan. There are many tools and templates available to help with this. The Business Environment category addresses not just internal systems but that an organization is considering external constraints and risks associated with the supply chain. Prioritizing based on criticality is often developed by performing a Business Impact Analysis.
ID.BE-1: The organization’s role in the supply chain is identified and communicated.
Organizations should consider supply chain risk with respect to information systems and system components and their role in the supply chain. Documenting the acquisition/procurement process, suppliers and their relationship to critical information systems is needed.
This should fall into an overall business continuity plan. A business impact analysis done on a regular basis (e.g. annually) may help provide insight into the critical systems that require a clear supply chain management process.
Audit Considerations
Auditors may request a copy of business continuity plan, information system acquisition procedures, business impact analysis, or other evidence that shows a clearly defined role in the supply chain.
ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and communicated.
This particular process needs to be looked at from the perspective of critical infrastructure and how it impacts NSHE, campus, students, etc. A critical infrastructure plan that identifies prioritized information systems and key resources required to operate and/or restore operations for these systems should be developed.
Audit Considerations
Auditors want to see documentation or evidence that demonstrates an understanding of critical systems and resources required to operate and/or recover services.
ID.BE-3: Priorities for organizational mission, objectives, and activities are established and communicated.
Information protection needs are technology-independent and derived from the mission/business needs defined by the organization. Understanding the business requirements allows the organization to apply appropriate controls.
This also requires the identification of critical information system components and functions of key resources. This applies not just to internal resources but crucial supply chain needs.
Audit Considerations
Auditors may want to ensure that an organization has clearly defined mission statements and objectives and that information technology and security plans are documented that defines goals and are mapped to the broader organizational goals.
ID.BE-4: Dependencies and critical functions for delivery of critical services are established.
This area requires a business continuity and disaster recovery plan that is updated and establishes processes and procedures for critical systems. This will include power equipment and cabling, not just servers and network equipment. Is there emergency power provided for short-term outages?
Audit Considerations
Auditors will want to examine a business continuity and disaster recovery plan to support the resilience of critical services. This may include wanting to see a Business Impact Analysis of critical systems.
An auditor may also include a review to ensure the resilience requirements associated with critical third-party services as well as that the organization has identified power needs in addition to information system components.
ID.BE-5: Resilience requirements to support delivery of critical services are established.
This is all tied together with a business continuity and disaster recovery plan. A supporting Business Impact Analysis that assists with prioritizing information systems based on criticality may also be important to demonstrate this.
Audit Considerations
The auditor will again look toward an organization’s disaster recovery plan and business continuity plan to demonstrate due diligence and supporting resilience of critical services.