10/12/2017 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? OVERVIEW SO, WHAT IS NIST?

Transcription

1 WHAT IS NIST SP & WHY SHOULD I CARE ABOUT IT? CHRIS JACKSON, STATE OF OHIO, OBM IT AUDIT MANAGER DANIEL MILKS, STATE OF OHIO, OBM SENIOR IT AUDITOR OVERVIEW Background & Understanding Importance Overall Design Control Families Expectations Scope Controls Classify Systems Control Breakdown Recommendations SO, WHAT IS NIST? Acronym for National Institute of Standards and Technology. Agency of the United States Department of Commerce. Measurement standards laboratory. Established to meet requirements of the Federal Information Security Management Act (FISMA). Required law to protect information and promote information security. 1

2 OKAY, SO WHAT ABOUT NIST SP ? Special Publication (SP) that documents and recommends security controls. Developed as a framework/guide for federal information systems and organizations. Adopted by other governments and commercial organizations. Revision 4 is the most recent version. Not the only security framework. WELL, WHY SHOULD I CARE? Establishes controls to reduce security risks/threats to an organization. Examples of Security Risks Ransomware Malicious s Internet of Things (IoT) Humans Vulnerabilities WELL, WHY SHOULD I CARE (CONTINUED)? Lack of proper security controls to mitigate risks can expose an organization to a data breach. Biggest Data Breaches of the Past Decade: 2

3 DESIGN OF THE FRAMEWORK Seventeen (17) security control families: Includes security controls and control enhancements. Definitions and guidance for each control. Security baselines assist in establishing controls: High-Impact. Moderate-Impact. Low-Impact. Frequency and timeframe up to organization. CONTROL FAMILIES Controls are established to operate in accordance with Federal Information Processing Standard (FIPS) Publication 200. Federally mandated standards for security categorization. Emphasizes more security during the development, implementation and operation of information systems. First control of each family requires policies and procedures. ACCESS CONTROL Consists of 25 controls. Limits access to systems and data. Provides guidance for account management and privilege assignments. 3

4 AUDIT AND ACCOUNTABILITY Consists of 16 controls. Record policy violations to track who did what and when. Provides guidance on log retention and configurations. CONFIGURATION MANAGEMENT Consists of 11 controls. Focus on: Baseline establishment. Restrictions on software installation. IDENTIFICATION AND AUTHENTICATION Consists of 11 controls. Focus on authentication system settings. Provides guidance on tracking users. 4

5 PHYSICAL AND ENVIRONMENTAL PROTECTION Consists of 20 controls. Provides guidance on physical security requirements. SECURITY ASSESSMENT AND AUTHORIZATION Consists of 20 controls. Provides guidance on conducting security assessments and implementing appropriate security practices. SYSTEM AND INFORMATION INTEGRITY Consists of 17 controls. Provides guidance on monitoring systems. 5

6 INCIDENT RESPONSE INCIDENT RESPONSE (CONTINUED) Consists of 10 controls. Provides controls for: Handling incidents. Ensuring proper training and testing occurs. AWARENESS AND TRAINING 6

7 AWARENESS AND TRAINING (CONTINUED) Consists of 5 controls. Provides controls for: Training end-users. Regular training reviews. CONTINGENCY PLANNING To avoid this, define effective controls that lead to improvements. CONTINGENCY PLANNING (CONTINUED) Consists of 13 controls. Provides controls for: Planning for a disaster. Testing and training users with contingency responsibilities. 7

8 OTHER CONTROL FAMILIES Maintenance Consists of 6 controls. Provides guidance on maintenance on systems. Media protection Consists of 8 controls. Provides guidance on media controls. Personnel security Consists of 8 controls. Provides guidance on handling personnel-related security concerns. Planning Consists of 9 controls. Provides guidance on security planning for an organization. OTHER CONTROL FAMILIES (CONTINUED) Risk assessment Consists of 6 controls. Provides guidance on performing risk assessments. System and communications protection Consists of 44 controls. Provides guidance on how to implement protected communications for a system. System and services acquisition Consists of 22 controls. Provide guidance on system controls and acquiring services. CONTROL EXPECTATIONS Controls in the NIST framework can help improve security. Adhering to all the NIST controls does not mean that a data breach can not occur. Examples Employee error providing sensitive data to the wrong person. Control may not be implemented correctly. Mistakes. New vulnerabilities being identified all the time Zero day vulnerabilities. 8

9 SCOPE CONTROLS Perform a risk assessment of systems. Define specific controls. Focus on specific controls within control families that fit your environment. Consider goals: Overall organization s security controls. A specific application. Key control areas. NIST defined impact. SYSTEM CLASSIFICATION Determined by an organization. Key items to consider: Data type. Potential threats that exist. Overall risk level. System criticality. Control baselines for low, moderate, and high impact systems. IMPACT SYSTEMS Type Number of Controls Number of Control Enhancements Low Impact 50 1 Moderate Impact High Impact At least one control from the 17 control families is represented in all 3 types. 9

10 CONTROL BREAKDOWN CONTROL BREAKDOWN (CONTINUED) INTENT OF SECURITY CONTROLS IS NOT TO OVERWHELM, BUT TO PROTECT 10

11 RECOMMENDATIONS Leverage frameworks. Prioritize controls. Build/implement controls in security areas. Be patient. Prepare for ongoing efforts. Have periodic reviews of controls. SECURITY COMPLEXITY Q AND A. SUMMARY OF NIST One of several frameworks available for security controls. Includes comprehensive list of controls. Contains pre-defined prioritization. Supported and updated regularly. 11

12 Web-based version of NIST SP : NIST SP document: Center for Internet Security (CIS) Controls Top 20 (another framework): CONTACT INFORMATION Chris Jackson Daniel Milks QUESTIONS? 12

13 SOURCES vui9fu1pq4=/1532x1253/filters:no_upscale():fill(transparent,1)/about/automate d-forex-trading-56a31b705f9b58b7d0d06269.png SOURCES (CONTINUED)