- ID:
This column contains the ID of the category being described and its connection with that particular function. e.g. Function: 'ID' points to the category "AM (Asset Management)", leading to the ID of that category being "ID.AM".
- CATEGORY:
This column describes the key focus of the organization in that particular category. e.g. For the category 'ID.AM', "Asset Management" is the key area of focus.
- METHODOLOGY:
Describes the methods and considerations the organization should carry out its risk assessment pertinet to the category being considered. e.g ID.AM describes the list of assets to be identified.
- SUB CATEGORY ID:
List the various sub-categories related to that specific category. e.g ID.AM (category) --> ID.AM-1, ID.AM-2, ID.AM-3, ID.AM-4, ID.AM-5, ID.AM-7, ID.AM-8(Sub-Category).
- SUB CATEGORY DESCRIPTION:
This column describes each sub-category 'ID' e.g. ID.AM-1 has its own description, which is different from ID.AM-2.
- SUB CATEGORY MODIFICATIONS:
This column, contains the sub-category that "WITHDRAWN", The sub category, that was "NEWLY ADDED OR INTRODUCED" and where the withdrawn category was "MOVED TO".
IDENTIFY focuses on the understanding of the organization's current cybersecurity risk.
Below is listed the various Sub-categories of the "Identify Function" in planning your organization's risk assessment for its critical infrastructures.
ID.BE-->GV.OC, ID.GV-->GV, ID.RM-->GV.RM, ID.SC-->GV.SC.
ID.BE: ID.BE-1,ID.BE-2, ID.BE-3, ID.BE-4, ID.BE-5.
ID.GV: ID.GV-1,ID.GV-2, ID.GV-3, ID.GV-4.
ID.RM: ID.RM-1,ID.RM-2, ID.RM-3.
ID.SC: ID.SC-1,ID.SC-2, ID.SC-3, ID.SC-4, ID.SC-5.
ID.BE:
(ID.BE-1)-->(GV.OC-5),(ID.BE-2)-->(GV.OC-1), (ID.BE-3)-->(GV.OC-1), (ID.BE-4)-->(GV.OC-4 & GV.OC-5), (ID.BE-5)-->(GV.OC-4).
ID.GV:
(ID.GV-1)-->(GV.PO,GV.PO-1 & GV.PO-2),(ID.GV-2)-->(GV.OC-2 & GV.RR-2), (ID.GV-3)-->(GV.OC-3), (ID.GV-4)-->(GV.RM-4).
ID.RM:
(ID.RM-1)-->(GV.RM-1,GV.RM-6 & GV.RR-3),(ID.RM-2)-->(GV.RM-2 & GV.RM-4), (ID.RM-3)-->(GV.RM-2).
ID.SC:
(ID.SC-1)-->(GV.RM-5,GV.SC-1,GV.SC-6,GV.SC-9 & GV.SC-10),(ID.SC-2)-->(GV.OC-2,GV.SC-3,GV.SC-4,GV.SC-7 & ID.RA-10), (ID.SC-3)-->(GV.SC-5), (ID.SC-4)-->(GV.SC-7,ID.RA-10), (ID.SC-5)-->(GV.SC-8 & ID.IM-2).
| ID | CATEGORY | METHODOLOGY | SUB CATEGORY ID | SUB CATEGORY DESCRIPTION | SUB CATEGORY MODIFICATIONS |
| ID.AM | Asset Management | The list of Assets That Needs to Be Identify Includes:
Data, personnel, staff, team members, executives, devices, systems, and facilities. That helps the organization in achieving their business purposes, and are managed consistently in accordance to the business objectives and the organizations risk strategy. |
ID.AM-1, ID.AM-2, ID.AM-3, ID.AM-4, ID.AM-5, ID.AM-7, ID.AM-8 |
ID.AM-1: Take inventory of physical devices and systems (Hardware) within the organization. ID.AM-2: Take inventory of (manage) all softwares, platforms(services) and applications within the organization. ID.AM-3: Map the organization's authorized network communication, both internal and external network data flow. ID.AM-4: Take inventories of services provided by supplier. ID.AM-5: Priortizing and classifying resources (Hardware devices, Softwares, data), based on their criticality, and impact on business. ID.AM-7: Identifying and catologue data, and corresponding metadata for designated data types. ID.AM-8: Systems, hardware, software, services, are maintained and managed throughout their life cycles. |
WITHDRAWN ID.AM-6 NEWLY ADDED ID.AM-7, IDM.AM-8 MOVED TO GV.RR-2, GV.SC-2 |
| ID.RA | Risk Assessment. | Identify and Assessing Risk:
Ensuring that the organization has a clear understanding of the Cybersecurity risk, and how it affects their operations (including reputation, mission, and functions), individuals, and the organizations assets at large. |
ID.RA-1, ID.RA-2, ID.RA-3, ID.RA-4, ID.RA-5, ID.RA-6, ID.RA-7, ID.RA-8, ID.RA-9, ID.RA-10. |
ID.RA-1: Identifying and documentation of all vulnerabilities in the organizations Assets. ID.RA-2: Threat intelligence, and vulnerabilities information are discovered from online forums, social networking apps, and other relevant sources. ID.RA-3: Both Internal and External threats targeting the organization, are Identified and documented. ID.RA-4: All potential impacts and likelihood of threats exploiting vulnerabilities in the organizations are identified and documented. ID.RA-5: Threats, vulnerabilities,likelihoods, and impacts are used to understand to identify data risk, and appropriate response to risk. ID.RA-6: Risk responses are chosen, prioritized, planned, tracked, and communicated. ID.RA-7: Managing changes and exceptions of accessed risk impact, and ensure they are documented and tracked. ID.RA-8: Establishing the processes by which vulnerabilities disclosures are recieved, analyzed, and responded responded to. ID.RA-9: The authenticity and integrity of both hardware and software are assessed before they are acquired and used. ID.RA-10: Critical suppliers are assessed prior to acquisition. |
WITHDRAWN (N/A) NEWLY ADDED ID.RA-7, ID.RA-8, ID.RA-9, ID.RA-10. MOVED TO (N/A) |
| ID.IM | Improvements | Improving Risk Management Across All Cybersecurity Framework Functions:
Ways on improving the organizations cybersecurity risk management process, procedures, and activities are to be identified across all CyberSecurity Framework (CSF) Functions. |
ID.IM-1, ID.IM-2, ID.IM-3, ID.IM-4 |
ID.IM-1: Improvements are to be identified from evaluations. ID.IM-2: Ways on improving the organizations cybersecurity risk management are identified from security tests and exercises, including those done in coordination with suppliers and relevant third parties. ID.IM-3: Improvements are identified from execution of operational processes, procedures, and activities. ID.IM-4: The organizations cybersecurity plan, incident response plan, and other relevant plans, which impacts the business operation of the organization are to be established, communicated, maintained, and improved. | WITHDRAWN (N/A) NEWLY ADDED (N/A) MOVED TO (N/A) |