All Cyber Security Frameworks (CSFs) have their roots in Risk Management Frameworks (RMFs), and all begin with an “Identify” phase. This is when the organization gathers information about the essential services the organization provides and hypothesizes how damage, which is calculated by a loss in either Confidentiality, Integrity, or Availability may be encountered and avoided, or otherwise managed by the organization in line with governance objectives, which are also part of the identify stage.
The risks identified during this phase shape the decisions and controls the organization implements. Therefore, unidentified risks and blindspots in risk assessment pose the most danger to organizations because they are totally unprepared and out of their control.
In implementing a CSF, the organization must have high confidence levels in its “identify” phase to ensure the minimal potential for risk blindspots that would negate the desired effect and purpose of implementing a CSF. Gathering information about the assets that compromise the provision of the essential service is the first step in preparing the organization’s risk assessment; it is the first step, but it is also a vital step as it shapes the decisions and direction of the organization.
Having a high level of confidence in this first step can be determined by a maturity curve in discovering and identifying all the assets in the organization’s estate. Basic capabilities in asset discovery are often manual processes and static lists, such as an annual asset audit conducted by a few individuals who record the findings in a spreadsheet, moving along the capability curve, the next stage and the most common level of maturity, is a mix of spreadsheet lists with active scans of specified network ranges recording the responses from assets occupying those IP ranges. Unfortunately, neither of these capability levels empower a comprehensive and diligent risk assessment as part of a cyber Security Framework implementation.
Often the driving force behind an organization looking to implement a CSF is some form of regulation or legislation, which at its core seeks to increase the level of cyber resilience in its purview by advocating appropriate and proportionate security controls which the CSF itself has interpreted.
If an organization considers that it is appropriate and proportionate to discover devices in mission-critical and environments where public safety is at stake, without increasing the risk to the organization during the process of discovery, or if the organization believes that they may be a target for sophisticated threats, such as ransomware or even nation state-level actors, then they may consider that a passive asset discovery method that operates in real-time to catalog the digital estate regardless of preexisting beliefs in what the extent of the estate might be, and without increasing the potential for negative consequences a more appropriate and proportionate approach to building their risk assessment.
A continuously optimized passive approach to asset discovery and management is considered the state-of-the-art methodology for the Identify stage in a Cyber Security Framework because of the high levels of confidence and certainty into the secondary risk assessment phase.