Something that I really appreciate when learning something new or working with a new technology is a clearly defined concept. When learning basic cloud concepts as part of my Cloud Essentials+ journey, I relied on the definitions from NIST to set the groundwork of my understanding of cloud computing characteristics. Well, NIST was there for me again, right away at the beginning of my Security+ journey. NIST has defined five functions of info sec/cybersecurity tasks. To me, this is helpful in building an easily reviewable understanding of the the responibilities of security teams and programs. Those five functions are identify, protect, detect, respond, and recover. In the rest of this post, I will give a description/my interpretation of each security task function.
The definition that I had come across in my my studies for the identify security task function, was not what I had expected. I was originally thinking this function was going to be about finding and categorizing incidents and issues in real time. It turns out that is more of a detect function that will be covered later in this post. The identify function is more about designing and developing policy, and plans for mitigating risk. With this function, security teams are building their security policies and programs. They are researching and understanding vulernabilities, threats, and risks, and then suggesting mitigating controls to reduce that risk.
This function really brings to light the fact that all employees of an organization, especially within the IT/Security departments, are responsible for information and cyber security. The protect function is all about managing a lifecycle of IT systems and assets with security as a underlying requirement from the beginning, rather than being an afterthought. Building and maintaining systems with security and hardening best practices documented and in play, will help to protect the organization.
The detect function is all about continuous and effective monitoring, reporting, and notifying, in regard to IT systems. Security controls should be able to detect anomolous behavior, then notify the proper teams to take necessary action. These security controls also need to be able to adapt to changing threat landscapes by remaining up to date on vulnerabilities, threats, and risks.
In my opinion, the respond function goes hand-in-hand with the detect function. I am thinking that in the respond function of cybersecurity, we are taking the inputs that we receive from the detect function, and acting on them. With the respond function, we are performing analysis on data received from the detect function and then performing mitigating actions in response to treats.
The recover function addresses having plans in place to restore IT systems when certain events are not mitigated and downtime is caused. As much as we want to be able to mitigate as much risk as possible, we need to be prepared and have plans for next steps to restore systems and data when they are tampered with or taken offline.
I believe that realizing and understanding these five functions of information security can help in understanding the responsibilities of security teams and programs. As stated earlier, I like to have clear definitions because they not only help me find where to start when dealing with something new, but they also help me to know what specifically is in scope to reduce the risk of me missing something important.