Co-authored by Ken Durbin, CISSP and Kevin McPeak, CISSP, ITILv3
(Continued from part three in our series on Canada's Digital Privacy Act, where we were discussing how NIST CSF can be tailored to assess against a specific requirement like the DPA.)
We are now going to focus on the Identify Function of the CSF. As we learned in the previous blog, the CSF Core is made up of the “Identify, Protect, Detect, Respond, and Recover” Functions. Each is divided into Categories, Subcategories, and Informative References.
Identify is divided into 5 Categories and 24 Subcategories, thus allowing an organization to get very granular in their assessment against this Function. There are too many Subcategories to cover in this series, so we’ll only focus on the 5 Categories. A detailed listing of all Functions, Categories, and Subcategories can be found in Appendix A of the NIST CSF Document (https://www.nist.gov/document-3766).
What is the purpose of the Identify Function? There’s a saying in Cybersecurity that says, “You can’t protect what you can’t see.” This helps explain why Identify is the first Core Function. You have to know what you are trying to protect. Identify helps you discover all hardware and software assets, but it doesn’t stop there. It covers nonphysical components that take into account your business/mission context, support resources, and your understanding of Risk. As such, Identify is divided into the following Categories:
- Asset Management: Identify Data, Personnel, Devices, systems, and facilities
- Business Environment: Identify and prioritize an organization’s mission, objectives, stakeholders, and activities
- Governance: Identify policies, procedures, and processes to manage and monitor regulatory, legal, risk, environmental, and operational requirements
- Risk Assessment: Identifies the cybersecurity risk to organizational operations
- Risk Management Strategy: Identifies priorities, constraints, risk tolerances, and assumptions used to make risk based decisions
Identify and the Digital Privacy Act:
In 2017, the Digital Privacy Act (DPA) will go into effect. The intent of the DPA is to encourage Canadian organizations to properly safeguard any private data they collect. Canadian organizations will be required to:
- Report any security breach involving private information to Canada’s Privacy Commissioner if it is “deemed to create real risk of significant harm”
- Notify all affected individuals “as soon as feasible”
- Maintain records of all security breaches
The CSF can be used by Canadian organizations to assess their cybersecurity knowledge, technical capability, and readiness to meet the legal requirements and avoid negative consequences for non-compliance with DPA.
If we look specifically at the Identify Function, we can see several potential ways it helps assess against the DPA. I use “potential” because it’s up to each organization to determine which Categories and Subcategories are important to their business needs. Following are some examples:
- Asset Management: If you don’t know where data is stored and which assets are involved, how will you know if there’s a breach? An improved Asset Management solution may be needed
- Governance: This is the Category that ensures an organization understands DPA and its requirements
- Risk Management Strategy: Do you know your tolerance for Risk as it pertains to DPA? Is there a process in place to manage that risk?
Taking the time to review each Identify subcategory to determine if it will help you comply with DPA will create a “DPA Current Profile.” A Risk Assessment against those Subcategories will create a “DPA Target Profile,” which can then be used to guide your efforts to comply with the Identify components of DPA.
Up next…the Protect Core Function of the CSF.
For more information on how to prepare for DPA, please visit: go.symantec.com/ca/dpa