Financial data is continuously at risk of theft from external cyber threats. These threats have the potential to cost financial institutions like banks and credit unions millions of dollars in damages. The persistence of these threats remains an issue to those within the computer security domain. Security managers and executives need guidance on how to manage information systems under their purview and address these threats as they develop. Enter the NIST 800.
The NIST 800 series is a technical standard set of publications that details U.S. government procedures, policies, and guidelines on information systems - developed by the National Institute of Standards and Technology. This non-regulatory agency assists agencies by supplying information to aid in information systems governance.
While they may not hold any data regarding that particular aspect, specific criteria must be met when it comes to computer network security. The NIST 800 publications provide a baseline on how government and private organizations should administer their network security posture, including their security policies.
Individual publications related to the series tie into different aspects of the cyber defense domain. Even though private organizations aren't necessarily aware this particular series exists in the first place, they already implement many of the standards contained therein as part of their business practices. Details contained in the NIST 800 references include, but are not limited to:
- Protecting controlled unclassified information
- Developing a cybersecurity workforce, etc
- Email cryptography and protection
These references continue to evolve today as information technology changes frequently as well.
NIST 800-53 is a unique publication that contains an index of privacy and security controls to information systems except for networks that handle national security. The publication underwent several revisions over the past three decades due to NIST's partnership with the Department of Defense, civil and intelligence agencies. The latest iteration of this publication is Revision 5, which covers some of the following:
Revision 5 was on hold due to disagreements between U.S. federal agencies. It is currently available for public dissemination as of September 2020.
Revision 4, released in 2012, emphasizes specific subject areas, including but not limited to:
There are many control families listed under this specific revision, including:
One of the latest releases within the NIST 800 series is the NIST 800-207, which serves as a reference for the Zero Trust principle for network security. The Zero Trust concept focuses on vetting and controlling accesses for remote assets accessing the headquarters network, under the assumption that they are not to be trusted based on their physical and network location. Authentication and authorization are vetted at both the user and device levels before they access the system.
Typically, private organizations may choose to comply with the publications under the NIST 800 voluntarily. However, contractor companies tied to federal agencies via obligatory contracts must comply with the standards laid out by references linked to the NIST 800, specifically NIST 800-171.
Today's challenges are to maintain the privacy and security of corporate data from external threats attempting to breach network defenses and maintain the enterprise's operation. You can access all the relevant publications related to the NIST 800 Series from the Computer Security Resource Center.
Get in touch with Rivial to get a NIST Security Audit today.