Understanding the Cybersecurity Framework (CSF) can prove a difficult task for professionals in the field. Whether it is an individual, new to the Cybersecurity and trying to understand the different road signs, or the established journeyman, coming to grips that lanes are now established in a realm that seemed to resemble the wild west – the CSF impacts everyone calling the field of Cybersecurity their career path. Therefore, it is important to understand the different categories and subcategories associated with the CSF. Comprehensive understanding of the affiliated groupings ensures that individuals working in Cybersecurity understand that Cyber isn’t just a willy-nilly, undefined realm of ones and zeroes, but a professional field that becomes more demarcated every day. Over the next several posts, the categories and subcategories will be analyzed in hopes of trying to make them more clear for the reader.
Within the first domain of the CSF, identify, lies the Asset Management Category. As the framework points out, this category ensures that the “data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy.” This is a drawn out way to say: track your stuff. It’s very easy to lose track of items in the melee of the everyday work environment. Whether it is something as small as a usb drive or as large as a multi-blade server – inventory must always take place. The subcategories associated with Asset Management confirm these sentiments.
Each subcategory within Asset Management speaks to a different aspect of the concept as a whole. For example, ID.AM-1 covers the most common idea of management when it states that “[p]hysical devices and systems within the organization are inventoried.” Usually this can take the form of either a common list which correlates item with location or personnel or an advanced barcoding or RFID tracking capability. The CSF intentionally does not get so specific as to identify which method an organization should use, but does offer a few tips in the form of its informative references, such as NIST SP 800-53 Rev. 4, CM-8, which suggests that an organization develop an accurate system that inventories items at a specific level of granularity that the organization deems appropriate and that updates and reviews are conducted on a regular basis.
Another subcategory of the CSF applies the regular evaluation identified in ID.AM-1 to software. The CSF understands that typical physical inventories that comprise other fields does not encompass all of the needs of the Cybersecurity field. It is important that a regular evaluation of the software and applications that are utilized by a work force are inventoried and evaluated. The added bonus that isn’t often considered is that the inventory process also helps identify any potentially unapproved software that may have been installed by a workforce unaware of the importance of the software approval process.
ID.AM-3 takes another step in considering the non-traditional inventory aspects of the cyber workplace. Understanding that organizational communication is a method through which people (who are also assets) interact, the CSF identifies these interactions as pertinent to asset management. These communications between individuals are another form of data flowing between assets, however, in addition to digital communication, these can take the form as the oldest analog communications in the world: speech.
These are just two of the subcategories that help organizations conduct asset management efficiently. Over the next several weeks, additional blog posts will dissect and analyze the other subcategories that comprise the CSF, making these components more tangible for the reader to implement in their organization.