IDENTIFY
The Identify Function helps you determine the current cybersecurity risk to the business.
Actions to Consider
Understand
• Understand what assets your business relies upon by creating and maintaining an
inventory of hardware, software, systems, and services. (ID.AM-01/02/04)
Assess
• Assess your assets (IT and physical) for potential vulnerabilities. (ID.RA-01)
• Assess the effectiveness of the business's cybersecurity program to identify areas
that need improvement. (ID.IM-01)
Prioritize
• Prioritize inventorying and classifying your business data. (ID.AM-07)
• Prioritize documenting internal and external cybersecurity threats and associated
responses using a risk register. (ID.RA)
Communicate
• Communicate cybersecurity plans, policies, and best practices to all staff and
relevant third parties. (ID.IM-04)
• Communicate to staff the importance of identifying needed improvements to
cybersecurity risk management processes, procedures, and activities. (ID.IM)
Getting Started with Identifying Current Cybersecurity Risk to Your Business
Before you can protect your assets, you need to identify them. Then you can determine the
appropriate level of protection for each asset based upon its sensitivity and criticality to your
business mission. You can use this sample table to get started on your information technology (IT)
asset inventory. As your business matures, you might consider using an automated asset inventory
solution or a managed security service provider to help you manage all your business assets.
Software/
hardware/
system/
service
Asset's
official
use:
Asset
administrator
or owner:
Identify
sensitive data
the asset has
access to:
Is multi-factor
authentication
required to
access this
asset?
Risk to
business if
we lose
access to this
asset
Technical Deep Dive:
Integrating Cybersecurity and Enterprise Risk Management
Questions to Consider
• W
hat are our most critical business assets (data, hardware, software, systems, facilities,
services, people, etc.) we need to protect?
• What are the cybersecurity and privacy risks associated with each asset?
• What technologies or services are personnel using to accomplish their work? Are these
services or technologies secure and approved for use?
Related Resources
• NIST Risk Register Template
• Take Stock. Know What Sensitive Information You Have
• Evaluating Your Operational Resilience and Cybersecurity Practices
View all NIST CSF 2.0 Resources Here