NIST CSF Series #5 – Identify: Risk Assessment


Function:   Identify  (ID)
Category: Risk Assessment (RA)

“The organization understands the cybersecurity risk to organization operations (including mission, functions, image, or reputation), organizational assets, and individuals.”

Much of the governance category revolves around appropriate policies and procedures that clearly spell out roles and responsibilities and requirements to meet regulatory obligations.  This also ties in with an overall risk management process where cybersecurity is included. 

ID.RA-1:  Asset vulnerabilities are identified and documented.

The organization should have in place a method to test for vulnerabilities on critical assets.  This requires that an organization understands their critical systems and establishes a mechanism to mitigate or remediate found vulnerabilities.

As security approaches mature, there is a growing movement toward a continuous monitoring strategy that facilitates ongoing awareness of threats, vulnerabilities, and information security to support risk management decisions.   Continuous monitoring implies that assessment and analysis of security controls, including vulnerabilities, are performed at a frequency sufficient to support decisions by the organization.

Use of penetration testing as part of the overall strategy to identify vulnerabilities on assets can be a valuable tool in this endeavor.

Audit Considerations

Auditors will determine if vulnerability testing is conducted on a regular, periodic basis by requesting copies of vulnerability reports, visual inspection of vulnerability tools, and evidence that critical assets, as provided through inventory, are being scanned.

Applicable CIS Critical Controls:

CIS Control 4:   Continuous Vulnerability Assessment and Remediation

Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised.  For many, the challenge comes from scaling remediation across an entire enterprise, and prioritizing actions with conflicting priorities, and sometimes-uncertain side effects.

An automated vulnerability scanning tool should be run on a regular basis, in many organizations these are weekly scans, and then deliver prioritized lists of the most critical vulnerabilities to those responsible for remediation.  A SCAP-validated vulnerability scanner that looks for both code-based vulnerabilities (such as those described by CVE entries) and configuration-based vulnerabilities, should be used. 

ID.RA-2:  Threat and vulnerability information is received from information sharing forums and sources.

There are many sources, both free and paid, that are available to higher education institutions.   REN-ISAC membership has an active discussion board.  The MS-ISAC provides threat intelligence feeds through the Anomali platform.   US-CERT provides free alerts.  NSHE Information Security provides a weekly threat intelligence bulletin that continues to evolve.

Organizations should have some process in place to receive and disseminate threat and vulnerability information to those with responsibility to mitigate risks.

Audit Considerations

Auditors may determine if the organization is a member of or subscribes to a threat and vulnerability sharing organization.  They will also look for evidence that this information is shared with those who have authority and are accountable for managing information system resources.

ID.RA-3:  Threats, both internal and external, are identified and documented.

Organizations must consider internal and external threats and include risks from external parties such as service providers and contractors who operate information systems, and process or store information, on behalf of the organization.   Organizations should follow a consistent process for identifying current and new threats as well as documenting these threats in a manner that can be communicated to interested parties.

Audit Considerations

Auditors may examine previous risk assessments or organization documentation that defines threats to the organizations information and information systems.  They may want to verify that a process is in place to actively monitor and report potential threats to the organization.

ID.RA-4:  Potential business impacts and likelihoods are identified.

As with previous categories, the use of a business impact analysis document and categorization of information systems come into play.   A periodic analysis and documented report on potential business impact to information systems fulfills this category.

Audit Considerations

An auditor may look at previous risk assessments and business impact analysis to verify that the impact of threats are identified and analyzed on a regular basis. 

ID.RA-5:  Threats, vulnerabilities, likelihoods, and impacts are used to determine risk.

This ties together a routine examination of vulnerabilities and the use of information related to threat identification, vulnerability scanning, and business impact analysis to implement sufficient controls to mitigate risk associated with those threats.

Audit Considerations

Auditors may want verification that there is a process in place that identifies reasonably foreseeable internal and external threats and vulnerabilities.   Vulnerability scan results, risk assessments, and business impact analysis all come together in a process to mitigate risk. 

ID.RA-6:  Risk responses are identified and prioritized

Does the organization have a plan of action with milestones for their security program.  This is likely tied to your Target Profile as you continue to identify and prioritize components of your security program.

Audit Considerations

Auditors will ask for a risk management plan or other documentation that shows how the organization responds to risk levels it has identified.  This may include copies of responses to previous audits, risk assessments, or events that show findings and exceptions.