NIST is the abbreviation of the National Institute of Standards and Technology. Talking about NIST, it is a non-regulatory agency of the United States Department of Commerce whose job is to improve measurements and standards.
What is NIST Cyber Security Framework ?
NIST was founded in 1901 and its history lies in developing measurements, metrics, and standards. Previously known as the National Bureau of Standards, NIST mission is to promote measurement standards with proper maintenance.
NIST is the abbreviation of the National Institute of Standards and Technology.
Sounds so simple.
But what does NIST have to do with your business? Let us try to understand this in subsequent sections.
What about Framework? Framework is a structure to support building something useful.
So, riding high on the idea of cybersecurity to prevent, detect and respond to cyber incidents, NIST built a policy framework (set of best practice guidelines) for better management of cybersecurity-related risks.
“It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber-environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”— President Barack Obama, Executive Order 13636, Feb. 12, 2013
In short, the NIST CSF paves way for organization national security posture to tackle risk management by being proactive rather than employing reactive bent of mind.
What are the five elements of the NIST Cybersecurity framework?
NIST cyber security framework has 5 main functions.
What is NIST SP 800-53?
NIST 800-53 is the integral part of NIST cybersecurity compliance framework. NIST SP 800-53 describes an invaluable checklist of cybersecurity guidelines and security controls for security and privacy needs of any federal organization (aside from national security agencies) to maintain.
While walking the tightrope of confidentiality, integrity, and availability of data, adhering to the NIST SP 800-53 not only helps organizations meet compliance requirements like those found in regulations like:
- PCI DSS
- FedRAMP DoD
but it can also help shore up security immeasurably.
NIST SP 800-53 stands for NIST Special Publication 800-53 and is an integral part of NIST’s Cybersecurity Framework.
As there is a massive rise in threat landscape and cyber-attacks on government systems, the security of important and sensitive information is extremely crucial. And this is possible by securing your overall infrastructure.
Complying by NIST SP 800 series standards improve and maintain their information security. For risk management also, NIST SP 800-53 has been fulfilling the objective of protecting organizations.
What is the purpose of NIST SP 800-53?
The main purpose of NIST 800-53 controls is to improve an organization’s risk management system and help build a stronger foundation for creating a better risk management strategy.
In other words, NIST SP 800–53 (abbreviated form of National Institute of Standards and Technology Special Publication 800-53) database defines the guidelines of security controls and associated assessment procedures, to architect, implement and manage information security systems, and corresponding data.
With a standardized NIST 800 53 Risk Management Framework, NIST 800 53 aims at solid understanding to:
and manage systems, assets, personnel, devices and data etc. by implementing a holistic and contextual risk assessment and management strategy.
assets with comprehensive risk management framework.
security events and anomalous activity occurring on information systems and activities through ‘Security continuous monitoring’.
to security incidents by processes and procedures. Key elements are:
- Incident Response planning
- Threat Mitigation
- Recover and take appropriate security measures or actions
and restore systems or assets affected by attack/incidents with the help of orchestrated recovery planning and post-incident recovery strategies updates.
How many controls are there in NIST 800-53?
NIST SP 800-53 controls, in tandem with the risk management framework outlined in 800-37, are divided in 3 classes, spread across 18 different control families.
NIST SP 800-53 Families Full Control List
- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Contingency Planning
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical and Environmental Protection
- Program Management
- Risk Assessment
- Security Assessment and Authorization
- System and Communications Protection
- System and Information Integrity
- System and Services Acquisition
NIST SP 800-53 Control Families Description
NIST SP 800-53 Access Control
Access control is a way to keep people from going to places they aren’t supposed to go.
For example, you have a house and you have a door to your house. You can lock the door so that only you can get in.
That’s access control.
NIST Access Control defines policies and methods to control a business IT ecosystem with appropriate level of access.
For example, you have a computer and you want to make sure that only people who are supposed to be using it can use it. So you can set up access control on the computer so that only people who are supposed to be using it can use it.
What are the 3 types of access control?
- Discretionary access controls (DAC)
- Mandatory access controls (MAC)
- Role-based access control (RBAC)
The Access Control family throws light on the design, implementation and operation of access controls for a business IT environment like:
- Router network access control
- Computers & servers and
- All devices on the network.
Access control family also helps in understanding configuration of:
- access control security policy
- role-based access controls (rbac)
- mandatory or discretionary access controls
- privileged access controls
NIST 800-53 Audit and Accountability (AU)
Titled Audit Accountability Procedures, NIST 800-53 Audit and Accountability family of controls provides procedures of event logging and auditing of a business’s audits and audit processing records.
Key Questions to ask for NIST 800-53 Audit and Accountability (AU)
- How do you process the content of audit records?
- How do you analyze and report?
- How’s record retention?
- How do you construct content for audits records?
- Are assessments and artifacts included?
- What about storage of audit documents?
- Where do you store the audit documents?
- Do you use any encryption tools to safeguard information of audit records?
- How do you validate access identities?
- Do you use MFA, password security or biometrics?
- Do you have any defined retention policy?
- What is the audit storage capacity?
NIST 800-53 Awareness and Training (AT)
NIST 800-53 Awareness and Training family of controls provides guidance on how to provide foundational and technical security awareness training to users.
The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity eventSource
Which NIST publication discusses the need for security awareness?
NIST 800-53 Awareness and Training family of controls imparts industry and role based security training.
The assessment, identifying and addressing of internal security and privacy issues with employees activities is much more feasible today..
Quite viable to assess internal security-and-privacy awareness of system users, it helps in identifying threats to privacy or system security complying with organizational policies and procedures.
Key questions to ask during NIST 800-53 Awareness and Training (AT)
- What type of security awareness training is provided in your organization?
- How frequent do you update or overhaul your training policies?
- How do you communicate security awareness programs, if any, with your users or employees?
- What are the constituents of your security awareness materials?
- What is the mode of training access for users or workforce?
- Do you have any notification system set up to inform your users about potential security events or breach?
- Do you continuously monitor the alert system in case there is any security issue?
- What about follow ups during/after security awareness training sessions?
Top 12 security awareness training topics for employees
Auditors expect training on security awareness topics like:
- Phishing Email scams
- Data management and privacy
- Social networking awareness
- Social Engineering
- BYOD (Bring Your Own Device)
- Password Security
- Removable media
- Safe internet habit
- Physical security and environmental controls
- Clean desk
- Other cybercrime tactics
NIST 800-53 configuration management
What is NIST 800-53 configuration management?
NIST 800-53 configuration management control lays out guidelines for security configuration policy and procedures of software and devices on the network.
With an effective and security focused NIST configuration management plan, Configuration Management Family controls create:
- A configuration policy,
- A Baseline configuration of the system for future security and privacy control implementations etc.
- And manage unauthorized configuration or devices.
Examples of the Configuration Management family are:
- Authorized software policies
- Configuration change control
Key NIST 800-53 Configuration Management questions to ask
- How frequently configuration management documents are analyzed?
- Is Privacy included?
- What about baseline configurations?
- Are baseline configurations set up for every single server or device on the network?
- Is baseline configuration automated?
- Do you record previous settings?
- What is the approach towards uninstallation of software?
- Is there a Configuration Control Board in your company?
- Are there any Cryptography settings?
- Do you maintain an inventory?
- Do you maintain data maps?