Resources for Planning using NIST SP 800 Series (week 10)

Just like any other aspect of an organization, for the Information Security Program to be successful, planning is required. With proper planning, the business can be able to succeed in meeting its overall business objective as it can map out the issues that may affect its day to day operations like adhering to industry standards and regulations.

The U.S. Department of Commerce has an agency that publishes guidelines and recommendations that can be adopted by organizations to meet their Security Obligations. This agency, National Institute of Standards and Technology (NIST) uses three Special Publication (SP) subseries to publish reference material regarding computer, cyber, and information security guidelines and recommendations. 

The three are as follows:
SP 500, Computer Systems Technology – Started in January 1977 and is a more general IT subseries used by NIST to cover broad topics.

SP 800, Computer Security – Started December 1990 and is NIST’s primary mode of publishing computer, cyber and information security guidelines, recommendations and reference materials.

SP 1800, NIST Cybersecurity Practice Guides – Started 2015 as a complement to SP 800. It’s more focused and covers Cybersecurity challenges in both the public and private sectors.

About the Special Publications (800 Series)
Focus will be on the SP 800 series which is a set of publications that describe the United States Federal government computer security policies, procedures and guidelines. In her article, NIST 800 Series, Margaret Rouse (2006) states that the NIST 800 Series publications cover NIST-recommended procedures and criteria for assessing and documenting threats and vulnerabilities. Under SP 800 Series, many publications have been documented from its inception in 1990 to the latest release (a draft) SP 800 -178 dated December 2, 2015. 

As an organization plans its Information Security Program, some of these documents can be adopted. 

NIST Special Publication 800-122 – Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

“With the increased use of computers for the processing and dissemination of data, the protection of PII has become more important to maintain public trust and confidence in an organization, to protect the reputation of an organization, and to protect against legal liability for an organization”. (McCallister, Grance, & Scarfone, 2010)

This document provides guidelines for a risk based approach to protecting the confidentiality of PII. PII can be described as any information that can be used to identify an individual; Full Names, SSN, ID numbers just to mention a few can be considered PII. SP 800-122 states that organizations should identify what PII data exists within their systems, only retain PII data on a as needed basis, categorize the PII data based on confidentiality impact levels and apply safeguards, develop an incident response plan in case of a breach and ensure that there is cohesiveness between the different responsible parties/departments including the legal counsel.

NIST Special Publication 800-163 – Vetting the Security of Mobile Applications 

The current trend in many organizations is to allow for mobile work capabilities and with this new open business world, mobile applications have become increasingly popular. SP 800-163 authors Quirolgico, S., Voas, J., Karygiannis, T., Michael, C., & Scarfone, K. (2015) state “such apps have increased productivity by providing an unprecedented level of connectivity between employees, vendors, and customers, real-time information sharing, unrestricted mobility, and improved functionality”. The downside to this trend is that app developers do not always have security in mind when building their applications. This publication acts as a guide for helping organizations develop a plan for vetting mobile applications through the app acquisition stage all the way to its adoption or rejection phase.

Conclusion

The National Institute of Standards and Technology (NIST) SP 800 series guides can assist an organization plan the development of an Information Security Program at an organization. These documents although mainly targeted at Federal institutions and its affiliates, can prove to be valuable to any organization. One example is in regards to protection of PII data. Just in June of 2015, the Office of Personnel Management (OPM) was breached and PII data was exfiltrated from its systems. All organizations have PII and if OPM (a government agency) was breached, then ‘civilian’ organizations should rethink their current setup (if any) and adopt some of the guidelines listed out by SP 800-122. Also with the current advancements and changes in how we work, things like BYOD, Wireless technologies, working from Home, organizations need to follow more structured and proven guidelines when it comes to protecting their information, assets and people. Using the SP 800 series documents might just ease the adoption of such security measures even in the civilian world. 

References

McCallister, E., Grance, T., & Scarfone, K. (2010). Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). Special Publication 800-122. 

Quirolgico, S., Voas, J., Karygiannis, T., Michael, C., & Scarfone, K. (2015). Vetting the Security of Mobile Applications. NIST Special Publication 800-163. 

Rouse, M. (2006, May 1). NIST 800 Series. Retrieved December 19, 2015, from http://whatis.techtarget.com/definition/NIST-800-Series