An information security program implementation guide was developed by National Institute of Standards and Technology (NIST) to provide a broad overview of information security program components and assist information security managers in understanding how to develop and implement an information security program based on the minimum government security requirements. The Information Security Handbook: A Guide for Managers is documented in the NIST Special Publication 800-100. This article aims to summarize the information security program guide as well as the minimum security requirements as described in NIST 800-53 publication.
About NIST Guide and Standards
Compliance with the government National Institute of Standards and Technology (NIST) system security requirements involves adhering to a set of NIST security standards developed by the Computer Security Division of the National Institute of Standards and Technology (NIST).
The Federal Information Processing Standards (FIPS 200) address minimum security standards and guidelines for federal computer systems. They are developed by the National Institute of Standards and Technology (NIST 800-53) in accordance with the Federal Information Security Management Act (FISMA) of 2002 and approved by the Secretary of Commerce. The NIST 800-100 offers an information security guide for managers to develop an information security program and comply with the system security requirements.
These standards are sometimes the golden rules companies must follow and comply with if they want to attract new contracts or retain existing ones, particularly with certain government entities and their suppliers.
The image below lists the security requirements for all federal systems as well as private systems supporting the federal government which must be addressed by the information security program.
Who Should Care
Anyone in charge of system security within organizations must be aware of the security program components and minimum government system security requirements to ensure compliance. These include CIOs, CISOs and security managers at all levels.
Summary of the Information Security Program Guide (NIST 800-100)
Purpose and Applicability
The scope of the information security policies as they pertain to the NIST security compliance requirements as well as their applicability must be well defined.
Information Security Governance
According to NIST, the information security governance is defined as the process of establishing and maintaining a framework and supporting management structure and processes to provide assurance that information security strategies:
- are aligned with and support business objectives,
- are consistent with applicable laws and regulations through adherence to policies and internal controls, and
- provide assignment of responsibility for managing risk.
System Development Life Cycle
The system development life cycle (SDLC) is the overall process of developing, implementing, and retiring information systems through a process from business requirements gathering, analysis, design, implementation, and maintenance to disposal. There are many different SDLC models and methodologies, but each generally consists of a series of defined steps or phases.
Awareness & Training
Companies must provide initial and periodic information protection awareness and training to all users regarding company policies and best practices.
Capital Planning and Investment Control
Increased competition for limited budgets and resources within any organization requires the allocation of available funding toward their highest-priority information security investments to provide the appropriate degree of security for the organization’s needs.
Interconnected system is defined as the direct connection of two or more information systems for sharing data and other information resources. Organizations choose to interconnect their information systems for a variety of reasons based on their organizational needs. For example, they may interconnect information systems to exchange data, collaborate on joint projects, or securely store data and backup files. Internet of Things (IoT) are increasingly being deployed and must be included in the interconnected system management.
Organizations can develop information security metrics that measure the effectiveness of their security program, and provide data to be analyzed and used by program managers and system owners to isolate problems, justify investment requests, and target funds specifically to the areas in need of improvement.
Program managers, system owners, and security personnel in the organization must understand the system security planning process. The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements.
Contingency Planning or Availability includes a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) which must be documented and tested regularly to ensure business operation continuity and system or data recovery.
Because risk cannot be eliminated entirely, the risk management process allows information security program managers to balance the operational and economic costs of protective measures based on investment benefits, risk appetite or tolerance, and risk acceptance criteria.
Audit, Accountability, Certification & Security Assessments
In addition to internal audits, independent audits and security assessments for certification of general computer controls including information security controls relevant to company services and products may be required under certain contracts.
Security Services and Products Acquisition
In the acquisition of information security services and products, organizations are encouraged to conduct a cost-benefit analysis as part of the product-selection process which also includes the costs associated with risk mitigation.
Attacks on information systems and networks are inevitable and have become common occurrence for many organizations. The attacks are sophisticated, often successful, and high impact nowadays. An incident response plan must be documented to respond and resolve various information security incidents.
Formal configuration policies and procedures must exist for all major systems and devices including on-prem and cloud servers, laptops, mobile devices, IoT, wireless network, VPN, email system, information security systems, and network devices.
Other NIST 800-53 Requirements
Identification & Authentication
The Personal Identity Verification (PIV) process must include a standard process for issuing and assigning IDs to all users for identification purposes. Users must be systemically forced to authenticate themselves through multi factor and adaptive authentication which includes biometric and other types of advanced authentication mechanism.
Authorization & Monitoring
User access to all systems must be authorized and monitored for proper segregation of duties and minimum access or least privilege ensuring integrity and confidentiality of data based on zero-trust model.
The network system security must be maintained through monitoring and protection with firewalls, anti-virus, anti-malware and anti-spyware software, formal patch management process with zero-day concept, server configuration management, Intrusion Protection Systems (IPS) and periodic penetration tests.
Access to company information systems from the outside of the company must be secured and authorized.
Removable Storage Devices & Media Protection
The use of USB and other storage devices must be secured through hardware or software.
Emails containing confidential information must be encrypted in accordance with acceptable encryption mechanisms.
Laptops and other Portable Devices
NIST standards require mobile devices such as laptops be encrypted.
The company voice system must be configured to force employees use a unique password for accessing voicemails.
Wireless communication must be protected via encryption and security of wireless access points. Standard identification and authentication mechanism must also apply to wireless network and communications.
According to NIST, program and infrastructure change management procedures must be documented to ensure changes are approved, tested, reviewed and implemented in accordance with the change plan and segregated responsibilities.
System security vulnerability assessments must be performed on a continuous basis to detect new threats and control gaps. Information security program, policies and procedures must be reviewed and updated periodically. Information protection needs related to training and tools must also be assessed on a periodic basis.
Physical, Personnel & Environmental Protection
NIST security compliance requires facility access authorization and monitoring. Visitor access must be documented and monitored at all times.
Environmental and personnel protection controls must be in place and include fire detectors, fire extinguishers, water and gas leak detectors as well as well documented personnel evacuation plans in case of major incidents.