Today is the 1st of September, now officially known as the start of lock-in season (aka the inspiration behind this blog’s name). Despite a fairly chaotic start to the day, I too shall partake by sharing today’s learnings.

Continuing on the NIST Cybersecurity Framework (CSF), I am doing a deeper dive on each of the individual categories.

Today’s focus is on Identify

Conceptually, I understand what it entails - identifying an organisation’s assets, mapping out risks, and implementing continuous improvement. However, to apply my learning, I want to understand the day-to-day tasks and processes that ensure its goals are met.

I have learnt that this entails a non-exhaustive combination of the following:

• Building a living inventory - hardware, software, servers, APIs, SaaS tech stack
• Classify the data (thank you Bell-LaPadula Security Model) as public, internal, confidential
• Prioritise the risk mapping by business criticality
• Track progress, rinse and repeat

I suspect that this takes shape via spreadsheets, and being in the SaaS industry, I am 1000% sure that there are solutions that cover this. But hey, let’s walk before running, so to Excel I shall go to put theory into practice.