| Asset Management (ID.AM) |
| Business Environment (ID.BE) |
| Governance (ID.GV) |
| Risk Assessment (ID.RA) |
| Risk Management Strategy (ID.RM) |
| Supply Chain Risk Management (ID.SC) |
There are several very good sources of information on the first NIST CF Function – Identify so i won’t go over what has been described before elsewhere. I do find that the best diagrams that show the framework are those that represent it in a cyclical format. It is the starting point so that the organisation and Asset types and groups (people, process, services, technologies) can be defined and assessed sufficiently so they can move through the rest of the process so that each other Function can determine how it will protect, detect, respond and recover from a cyber attack and finally feed any additional knowledge back into the cycle.
There is a very good overview of Identify at the Infosec Institute and also at the TrendMicro Blog.
Identify is broken down into the following Categories:
- Asset Management (ID.AM)
- Business Environment (ID.BE)
- Governance (ID.GV)
- Risk Assessment (ID.RA)
- Risk Management Strategy (ID.RM)
- Supply Chain Risk Management (ID.SC)
What is important is how this function can be applied / adapted to shape a Smart City Cyber Security Strategy. Cities are not as neatly defined or designed as public or private organisations. Nor are cities structured, funded, managed or maintained the same way, they have been built up to enable people to live, work and travel – some over many hundreds of years – and so have many unique characteristics as well as challenges. Cities are for people and unfortunately, people are often seen as one of the biggest risks and threats when it comes to cyber security.
I will cover each of the Identify Categories specifically on their respective pages as at the Function level I want to focus on where objectives should be understood and how challenges must be addressed when developing a Smart City Cyber Security Strategy. The role and responsibilities of each of the NIST CF Functions must first be understood at the stakeholder / senior management level of those in the City responsible for cyber security. Identify is perhaps the broadest and most crucial Function as it addresses the scope of the city environment and assets to secure and protect. This will manifest in the Governance capability and the policy and procedures set out for the other Functions to meet. Cities are very diverse environments and there is a likelihood that the Smart Cities of the future will rely heavily on third-party services and suppliers. I will address the key strategic themes further in the specific Identify Categories, here is a list of a few of them:
- Budgets & Priorities
- Outlook & Strategy
- Strategy enablement
- Leadership
- Managing technologies
- People skills and talent development
- Digital transformation
- Methodologies
- Performance
- Maturity
The above strategic themes may not sound like the kind of themes you would associate with cyber security. It is here that I want to extend the Identify Function to incorporate some grounding principles that are necessary to then develop the critical Functions of Protect, Detect, Respond and Recover.
Smart City Cyber Security 