IDENTIFY识别 (ID):
The organization’s current cybersecurity risks are understood
了解组织当前的网络安全风险
1.Asset Management资产管理 (ID.AM):
Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization’s risk strategy
对于使组织能够实现业务目的的资产(例如,数据、硬件、软件、系统、设施、服务、人员),应按照其对组织目标和组织风险策略的相对重要性进行识别和管理
ID.AM-01:
Inventories of hardware managed by the organization are maintained
维护由组织管理的硬件清单
- Ex1: Maintain inventories for all types of hardware, including IT, IoT, OT, and mobile devices
维护所有类型硬件的清单,包括IT、IoT、OT和移动设备 - Ex2: Constantly monitor networks to detect new hardware and automatically update inventories
持续监控网络,以检测新的硬件和自动更新清单
🧡检查落实
🌹文件和台账
- IT资产清单
🌹预期结果
- 组织维护着一个符合现状的、完整的物理设备、硬件和信息系统资产清单,并具备合理的同步机制
- 清单体现组织的风险偏好(如分类分级、标签等)。
- 清单信息的完备程度(如位置、资产编号、所有者)
- 设备变更(新增、迁移、作废)被准确及时地记录。
- 盘点频率、责任人、盘点记录
ID.AM-02:
Inventories of software, services, and systems managed by the organization are maintained
维护由组织管理的软件、服务和系统的清单
- Ex1: Maintain inventories for all types of software and services, including commercial-off-the-shelf, open-source, custom applications, API services, and cloud-based applications and services
维护所有类型的软件和服务的清单,包括商业现成的、开源的、自定义的应用程序、API服务和基于云的应用程序和服务 - Ex2: Constantly monitor all platforms, including containers and virtual machines, for software and service inventory changes
持续监控所有平台,包括容器和虚拟机,以了解软件和服务清单的变化 - Ex3: Maintain an inventory of the organization’s systems
维护组织系统的清单
🧡检查落实
🌹文件和台账
- IT资产清单
🌹预期结果
- 组织维护着一个符合现状的、完整的软件平台、商业应用程序和其他软件资产(例如,虚拟机和虚拟网络设备)的清单,并具备合理的同步机制
- 清单体现组织的风险偏好(如分类分级、标签等)。
- 清单信息的完备程度(如版本、系统、供应商、所有者)
- 软件变更(新增、升级、补丁、迁移、作废)被准确及时地记录。
- 盘点频率、责任人、盘点记录
ID.AM-03:
Representations of the organization’s authorized network communication and internal and external network data flows are maintained
维护组织的被授权的网络通信以及内部和外部网络数据流的呈现[视图、描述、模型等]
- Ex1: Maintain baselines of communication and data flows within the organization’s wired and wireless networks
维护在组织的有线和无线网络中的通信和数据流的基线 - Ex2: Maintain baselines of communication and data flows between the organization and third parties
维护组织和第三方之间的通信和数据流的基线 - Ex3: Maintain baselines of communication and data flows for the organization’s infrastructure-as-a-service (IaaS) usage
维护组织的基础设施即服务(IaaS)使用的通信和数据流基线 - Ex4: Maintain documentation of expected network ports, protocols, and services that are typically used among authorized systems
维护在被批准运行的系统中通常使用的预期网络端口、协议和服务的文档
🧡检查落实
🌹文件和台账
- 数据流图
- 网络图
🌹预期结果
- 组织维护网络资源、移动资源、外部连接、网络连接的第三方和网络数据流的易理解、易沟通的映射。
- 内部和外部数据流图是符合现状的、完整的、及时更新的。
- 组网图(包括逻辑的和物理的)是符合现状的、完整的、及时更新的。
- 数据流图和组网图包括合理完备程度的信息(如设备类型、名称、型号、接口、协议、服务等,便于理解和沟通。
ID.AM-04:
Inventories of services provided by suppliers are maintained
维护供应商所提供服务的清单
- Ex1: Inventory all external services used by the organization, including third-party infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally hosted application services
列出组织使用的所有外部服务,包括第三方基础设施即服务(IaaS)、平台即服务(PaaS)和软件即服务(SaaS);API;以及其他外部托管的应用程序服务 - Ex2: Update the inventory when a new external service is going to be utilized to ensure adequate cybersecurity risk management monitoring of the organization’s use of that service
当使用新的外部服务时,更新清单,以确保组织对该服务的使用进行充分的网络安全风险管理监控
🧡检查落实
🌹文件和台账
- 第三方库存
- 供应商管理计划
- 风险偏好声明
🌹预期结果
- 组织维护着第三方服务清单
- 清单体现组织的风险偏好(如存储、处理或访问哪些敏感信息,对业务目标至关重要的程度等)。
- 清单信息的完备程度(如位置、第三方、所有者)
- 盘点频率、责任人、盘点记录
ID.AM-05:
Assets are prioritized based on classification, criticality, resources, and impact on the mission
资产根据分级、重要性、资源和对使命的影响进行优先排序
- Ex1: Define criteria for prioritizing each class of assets
定义每一类(级)资产的优先级标准 - Ex2: Apply the prioritization criteria to assets
对资产应用优先级标准 - Ex3: Track the asset priorities and update them periodically or when significant changes to the organization occur
跟踪资产优先级,并定期或在组织发生重大变更时更新
🧡检查落实
🌹文件和台账
- 数据分级体系
- IT资产清单
🌹预期结果
- 组织根据关键因素(如CIA、监管要求、业务影响等)定义分级标准。
- 资产(例如,系统、设备、硬件、设备、数据、软件)被分级和排序,并具备提示系统或人员合理handle资产的标签。
- 资产分级评审频率
ID.AM-06:
[Withdrawn: Incorporated into GV.RR-02, GV.SC-02]
[已撤销: 纳入到GV.RR-02, GV.SC-02]
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
建立了全体员工和第三方利益相关者(如供应商、客户、合作伙伴)的网络安全角色和责任
ID.AM-07:
Inventories of data and corresponding metadata for designated data types are maintained
维护指定数据类型的数据清单和相应的元数据
- Ex1: Maintain a list of the designated data types of interest (e.g., personally identifiable information, protected health information, financial account numbers, organization intellectual property, operational technology data)
维护指定感兴趣的数据类型列表(例如,个人身份信息、受保护的健康信息、财务账号、组织知识产权、运营技术数据) - Ex2: Continuously discover and analyze ad hoc data to identify new instances of designated data types
持续发现和分析临时数据,以识别指定数据类型的新实例 - Ex3: Assign data classifications to designated data types through tags or labels
通过标记或标签将数据分级分配给指定的数据类型 - Ex4: Track the provenance, data owner, and geolocation of each instance of designated data types
跟踪指定数据类型的每个实例的来源、数据所有者和地理位置
🧡检查落实
🌹文件和台账
- 数据类型清单
- 风险偏好声明
🌹预期结果
- 组织维护指定数据类型的数据清单和相应的元数据
- 数据类型清单与组织风险偏好相匹配
- 清单的完备程度(例如位置、所有者、分类)
- 清单识别过程:
- 确保及时准确地记录新数据
- 考虑结构化和非结构化格式的数据(例如,文档、图像、电子邮件、软件字段)
- 盘点的频率
ID.AM-08:
Systems, hardware, software, services, and data are managed throughout their life cycles
对系统、硬件、软件、服务和数据的管理贯穿其整个生命周期
- Ex1: Integrate cybersecurity considerations throughout the life cycles of systems, hardware, software, and services
在系统、硬件、软件和服务的整个生命周期中集成对网络安全的考虑 - Ex2: Integrate cybersecurity considerations into product life cycles
将网络安全考虑整合到产品生命周期中 - Ex3: Identify unofficial uses of technology to meet mission objectives (i.e., “shadow IT”)
识别技术的非正式使用,以满足任务目标(例如,“shadow IT”) - Ex4: Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organization’s attack surface
定期识别不必要地增加组织攻击面的冗余系统、硬件、软件和服务 - Ex5: Properly configure and secure systems, hardware, software, and services prior to their deployment in production
在将系统、硬件、软件和服务部署到生产环境之前,对它们进行适当的配置和保护 - Ex6: Update inventories when systems, hardware, software, and services are moved or transferred within the organization
当系统、硬件、软件和服务在组织内移动或转移时,更新清单 - Ex7: Securely destroy stored data based on the organization’s data retention policy using the prescribed destruction method, and keep and manage a record of the destructions
根据组织的数据保留策略,使用规定的销毁方法安全地销毁存储的数据,并保存和管理销毁记录 - Ex8: Securely sanitize data storage when hardware is being retired, decommissioned, reassigned, or sent for repairs or replacement
在硬件退役、离场、重新分配或送去维修或更换时,安全地净化数据存储 - Ex9: Offer methods for destroying paper, storage media, and other physical forms of data storage
提供销毁纸张、存储介质和其他物理形式的数据存储的方法
🧡检查落实
🌹文件和台账
- 网络安全政策(数据保留/废弃部分)
- IT资产清单
🌹预期结果
- 确定组织在其生命周期内管理系统、硬件、软件、服务和数据。
- 存在一个流程来管理IT资产生命周期。
- 资源在部署前已经安全配置(配置管理包含安全基线)。
- 资产识别过程和工具已就位,有能力和流程支持,能检测到未经授权的资产和阴影资产。
- 存在基于组织数据保留策略的安全销毁或清理数据的流程。
- 有机制保障当资产被移动、转移或退役时,清单会及时更新。