In our ongoing series on compliance and security, we've covered the history of information security compliance, compliance regimes in general, and how to prepare for a SOX audit. Now, let's move on to the catchily-named NIST 800-53. This security standard covers all federal organizations, except for those under the purview of the defense agencies, and all non-governmental agencies who wish to work with the U.S. government.As with many things run by the government, there's no shortage of acronyms to wade through on your way to understanding NIST 800-53. The most important one is FISMA—the Federal Information Security Management Act of 2002. This law defined information security for the purposes of the federal government, and tasked the NIST with creating standards to uphold information security within the government and its partners. When an organization gets checked for NIST compliance, it's usually referred to as a "FISMA audit."
The NIST has laid out nine steps towards complying with FISMA, which align with the precepts set down in NIST 800-53:
- Data Classification: What data will damage your organization (and those it serves) in the event of a breach? What's less important?
- Baseline Protection: Of the information that you do need to protect, what's the smallest investment in tools that you can make to protect it?
- Risk Assessment: Validate the above. Have you made the correct assumptions about what's necessary?
- Documentation: This is where you keep records of your baseline controls, and the process of validating them. Keeping this paper trail helps establish the fact that you've kept your enterprise secure.
- Implementation: Putting your documentation into practice.
- Monitoring: How well do your security controls perform in the real world, as opposed to on paper? Do you need to make any additional changes?
- Reassess: Based on the results of your monitoring, you may need to re-work your data classification, baseline protection, or risk assessment. What is the general level of risk towards your agency or enterprise?
- Authorization: Now that you've made your estimates, put your plan into practice, and re-evaluated based on real-world conditions, you can allow the system under review to process data.
- More Monitoring: Information security is never static. Technology moves along, hackers refine their skills, and your enterprise will process different kinds of data. Continuously evaluate and re-adjust your baseline to ensure security.
Crucially, NIST 800-53 compliance was updated in late 2015. Although this didn't constitute a full revision, there are still a number of changes that enterprises (and federal IT departments) will need to make before their next audit.
These updates include new guidelines on how to develop the baseline security controls, based on whether you're a government agency or an enterprise, and what your enterprise offers. They reflect the changing nature of the threat landscape, with an emphasis on insider threats (including both rogue employees and victims of credential theft), Shadow IT concerns, and the potential for data leakage from mobile devices.
For administrators hoping to comply with this new ruleset, Safe-T has all the answers. Our Safe-T Box solution is a secure cloud broker that can help bring Shadow IT back into the light. By working with your organization's DLP solution, Safe-T Box can also track employees who might accidentally attempt to share malicious data. Lastly, by operating on desktops, in browsers, and on mobile devices, Safe-T Box can ensure that your data is secure no matter where it's shared from.