NIST CSF Series #4 – Identify: Governance

Identify - Governance

Function:   Identify  (ID)
Category:  Governance  (GV)

“The policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk.”

Much of the governance category revolves around appropriate policies and procedures that clearly spell out roles and responsibilities and requirements to meet regulatory obligations.  This also ties in with an overall risk management process where cybersecurity is included.


ID.GV-1:  Organizational information security policy is established.

Policy covers many, if not all, identified families of information security controls outlined in the NIST 800-53 standards.  In addition to setting the organizational requirements, the policy should include provisions for periodic review and updating as well as a mechanism to communicate policy to faculty, staff, and students.   Policies may be consolidated in a single document or compilations of documents at the discretion of the organization.

There are a number of policy templates available through EDUCAUSE or other institutions.  The NSHE Information Security Operations Procedures and Guidelines manual will also list key areas to address through policy.

Audit Considerations

Auditors will likely obtain a copy of the information security policy and determine its completeness and the approval process it went through.  They will also examine it for review and updating as well as how it is communicated to employees.


ID.GV-2:  Information security roles & responsibilities are coordinated and aligned with internal roles and external parties.

Identification and assignment of roles, responsibilities, management commitment, and coordination among other organizational units can be defined within policy or interdepartmental operational level agreements.  A senior official with responsibility and accountability for risk and for management of an information security program should be defined.

Additionally, organizations should establish requirements related to security roles and responsibilities for third-party providers (e.g. consultants, contractors, vendors), especially when such requirements are different from policy for employees.

Audit Considerations

Auditors will ask for evidence that information security roles and responsibilities are defined whether they be in policy, job descriptions, agreements, RACI charts, hierarch charts and/or contracts.  The review must show sufficient independence between security roles to allow for appropriate separation of duties for critical functions.


ID.GV-3:  Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.

The institution cybersecurity program should map to legal and regulatory requirements.  Using the Cybersecurity framework as a foundational document helps in this regard.  Maintain the results and responses to any audit or security review performed for your organization.

As regulations may change or be updated, it’s important to have some method to monitor and review changes in cybersecurity laws and regulations.

Audit Considerations

Most auditors understand the relevant legal and regulatory requirements for higher education institutions and will verify that cybersecurity programs are designed to satisfy those requirements.  They may review previous audits and security reviews and ask for evidence of a formalized process to monitor and review changes in laws and regulations.


ID.GV-4:  Governance and risk management processes address cybersecurity risk.

Information security must be engaged with risk management and be included in organization-wide risk management strategies as one of several risks a higher education institution faces.  Information protection needs are technology-independent and required capabilities needed to counter threat to organizations from individuals, nation states and organized criminals.

Audit Considerations

An auditor may want to see the level of business oversight and documented cybersecurity program that addresses:

  • Risk Management
  • Governance Structures
  • Security Oversight
  • Training
  • Accountability
  • Reporting