 us the US cybersecurity framework. This framework was developed by the National Institute of Standard and Technology for shortness and it's a voluntary guidelines. It's not a law that helps organization manage and reduce cybersecurity risk. So simply put, this whole framework was established under an executive order. An executive order is not a law by President Barack Obama released I believe 2013. And the purpose is to help companies manage and reduce their cyber security risk. Why? Because cyber security risk is a threat to our economy, corporation, personnel, technology, so on and so forth. So the framework is designed to be simple, flexible and adaptable by any company whether it's small or large. It allows companies to do what? To tailor it to its unique needs and risk profiles. And you will see through this, when we go over this framework, it gives you general guidelines. But it gives you a menu of options that you can adopt for your own need and company. The framework specifically consists of five core functions, a profile and four tiers which together form the comprehensive approach to cyber security. And this is what we are looking at here, the five core functions, four tiers and a profile. And obviously we are going to cover each component separately. Today, what we're going to be looking at are the five core functions, identify, protect, detect, respond and recover. And specifically we're going to be focusing on one core function and that is identify. So of the five core functions, today we're going to be covering only identified and most likely I will devote a recording for each function separately. Before we proceed any further, I have a public announcement about my company, farhatlectures.com. Farhat accounting lectures is a supplemental educational tool that's going to help you with your CPA exam preparation as well as your accounting courses. My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Myles. My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true-false questions as well as exercises. Go ahead, start your free trial today, no obligation, no credit card required. Now this is the big picture. So the first function is identified. Under identified we have categories, well, simply put, under each one of them we have different categories and we also have, in addition to categories, we have sub-categories, then we have references. So under each function we'll have categories. For example, for identified we have asset management, one business environment, two governance, three risk management, four risk assessment, sorry, four risk management strategy, five and supply chain risk management, six. So we have six categories under identified. Now we're going to have sub-categories. I am not going to go this far into the sub-categories because my lesson is for CPA candidate. So I'm going to explain what the function is and what the categories are, but you can dig a little bit more through whether you are studying for a cybersecurity exam or you need to learn a little bit more about it. So we have five core functions, we have 23 categories and the 23 categories are here. Those are the categories that are categories of the function. Then we have 108 sub-categories and they are separated into different categories because they're sub-categories. And we have many references that help us run or understand our cybersecurity program. So as I mentioned at the beginning, today we're going to be focusing specifically on the identify function. So those are the five functions, one, two, three, four, four, five, those are the five functions. And within the first function, we have one, two, three, four, five, six categories. So what I'm going to do today, I'm going to go over the identify function. What do we mean by identified function? Well, identified means are we, do we know what we have an asset and processes that needs protection? Simply put, one category is under identify is called asset management. And when we say ID, AM, it means the category is under identify and asset management. The first thing you want to know is what are the assets that I need to protect? What assets are needed? What processes are needed? Including personnel because personnel are part of my assets. So the goal is to maintain an inventory for the organization assets such as hardware, software, people, data assets, information, physical devices, systems, network, components, software, platform, so on and so forth building, you want to protect your building because if they can get into your building, they may be able to get to other information. Also your connections, configuration that helps the company achieve their goal. You may want to hear also assign a dollar amount and rank how important each one of these assets are to you because it's going to help you later on when you devise your risk assessment, when you devise your governance and risk assessment strategy, just but not knowing what you have is a problem by itself. So an example would be a company creates and maintain a comprehensive inventory, a list of things of its hardware, software, everything doesn't have to be those servers, workstation, routers, installed application to have a clear understanding of the infrastructure. Why? Because if this infrastructure is critical to my business objective, well, that's the first thing I need to do. I need to know which one is which one I need identify in order to do what start to protect. The second category under identified as business environment, which is ID abbreviated BE. This step here or this component involved understanding the organization mission, objective stakeholders and activities to identify the most critical assets and system that require protection. Here I'm looking at what is my, what does my business environment looks like? What are the most critical assets that need protection? So a financial services company analyzes its business environment and identify its core transaction processing system and customer data storage as critical asset that must be protected. So what cybersecurity needed now in place to protect my business environment? So since I understand what are the critical component in my business environment, what do I need to do? Simply put, what's important for me here identifying the business environment that's critical to my success? Third component is governance, governance ID, GV basically focuses on establishing and maintaining a cybersecurity risk management, governance management policies and procedures. Hopefully those words don't sounds foreign to you when you are when you are governed, you only are conducting governance, you have policies and procedures that align the organization goals, objective and risk tolerance. So what policies do I have that's going to help me manage my risk? Are there any legal or regulatory requirements needs to be incorporated? I might be in the health industry or the banking industry where there are higher scrutiny by the state or the federal government, legal and regulatory requirement. Am I incorporating those policies within my system? Do third party access my system? That's also important here. So for example, a healthcare organization developed a cybersecurity policy that outline roles, responsibility and reporting structure. Because remember, if you are attacked, if you have a cyber attack, do you know what, what do you need to do? Do you need to know who to report to? When should you talk to lawyers? When should you report this information to the maybe the government? Okay, ensuring that all employees understand their part in maintaining a secure environment. So do you have a policy and procedures that encompass the governance process under the identified function of the security framework? Notice these are all very general objective, very general. Then we move into risk assessment. Basically, what's risk assessment looking trying to predict the risks risk assessment is involving identifying analyzing and prioritizing specifically what type of risk cyber security risk to do what to inform the organization risk management decision, because we need we need to be able to identify as many risks as possible to help us understand what risks are involved in our business environment. Remember, the business environment is where we operate and what are the processes. Now we need to understand what risks are involved. Risk assess those risks. Do we understand our vulnerabilities? Now, usually you don't know your vulnerabilities because if you know them, you'll try to mitigate them. But the problem is, can you identify as many or do you understand what could go wrong? Okay, for example, if you have a money, if you have a safe in your house and you have money there and gold, well, if you don't have a security system, that's a vulnerability. Or if you don't have locks on your door, that's a vulnerability. That's a known vulnerabilities. But you could have other vulnerabilities that you are not aware of. Okay, versus a threat. A threat is different. The threat is I know the threat. For example, I would know if I have gold and money in my house, the threat is it could be stalling. I could have a fire at my house. Those are the threats. But how would that happen? The vulnerabilities? I don't know. I really don't know. And this is the most important one is try to understand or try to predict your vulnerabilities, identify as many as possible, but oftentimes they'll go unknown. Threats are a little bit easier to kind of see, but you don't know where the vulnerabilities is allowing the threat to get to your asset or you could have an accidental information disclosure for a company. Do you, for example, in risk assessment, do you participate in information sharing and analysis center? Do you share information with them? Do you get information from them? From third party public information that deals with risk. This is part of your risk assessment. How do you know about new threat about new cybersecurity threat? That's what we're saying here. What are your risk assessment? An example will be a manufacturing company conducts a risk assessment to identify vulnerabilities in its industrial control system. Remember, it's very hard to get all the vulnerabilities, quantify potential impact and prioritize mitigation effort. That's what you are doing here. Now, risk management. Now you are trying to, after you identified as many threats as many risks as possible, now you need to know how to manage that risk, manage that risk. This deals with establishing and implementing a risk management process that address the organization unique risk assessment because you identify them. This is in risk assessment. Now, how do you manage them? Now, how do you manage the risk? Well, you learn from your basic finance course. You'll try to eliminate the risk if you can, mitigate the risk if you cannot eliminate the risk. If you cannot mitigate or eliminate, you want to try to transfer or diversify or if you can do any of those, you got to accept the risk. So what are you doing with this risk information? You have information risk here, cybersecurity risk. What are you doing? What specific measures are you taking? This is risk management. And now here you have to be very specific because it's based on your risk assessment. What is the, and also what is your acceptable risk tolerance? What do you believe risk that's critical to you? Critical means you can tolerate or you cannot tolerate. The sixth component is supply chain risk management. And this is fairly new. It was added to those identify a function and basically focuses on identifying, assessing and mitigating risk associated with the organization's suppliers, vendors, or third-party service providers. Here what you're looking at, you're not looking at your system, you're looking at your vulnerability in terms of cybersecurity that's coming from your vendors, from your suppliers. Why? Because oftentimes these days your supplier and your vendor systems is integrated with your system. So if they have a vulnerability in their system, maybe as a hacker can go through their system to penetrate your system. So you need to be aware of how well they are managing their cybersecurity. This is what we buy supply chain risk management. So the risk associated with third-party partners who have access to sensitive data or systems that could be exploited by malicious actors. You don't have to worry about your system, only you have to worry about your suppliers, your vendors, people that you deal with, people that access your system and use your system. So we're addressing here vulnerabilities and threat in the supply chain, and this could involve looking at their hardware, software, of their service providers. You could also look at people that work there, personnel, and as well as other. Anything that could give malicious party an open window or an open door to your system, that's your concern, that is your concern. And this is why they added supply chain risk management because you are exposed through that supply chain. Now, once again, just to recap what we're doing, this is the big picture. What we did here is we looked at one of five core function and we covered six of 23 categories. Again, we don't go into sub-categories because they get very specific. If you need to, you can learn about them more. When need be, I will mention them, but this is what we're looking. So in the next session, guess what? After we did the identification, now we need to go into the protect step. And I'm going to be using this, try to use the same format where I'm going to just eliminate this, identify and start to work with the protect. Then when I finish with protect, detect, so on and so forth. What should you do now? Go to Farhat Lectures, look at additional resources. That's going to help you, whether you are studying for the CPA exam, accounting information system, cybersecurity, certification, CISA or any other professional certification. Invest in yourself. Study hard, stay motivated and stay safe.