A multitude of new legislation is flooding the cybersecurity scene. These laws and regulations are just the beginning to a new era of government involvement in network security policies.
But what do these newfangled government policies mean for the little guy? How can you know which rules to follow to keep your business and clients safe?
The answers lie in the NIST 800-171.
The National Institute of Standards and Technology (NIST) is a federal agency that sets a variety of national standards. Among them are the standards for securing data in federal computer systems (except those related to national security).
NIST also has a set of guidelines for nonfederal systems. Known as the NIST 800-171, the framework was created for organizations outside the federal government to follow to protect any federal data they handle (i.e. data they process, store, or transmit).
The nonfederal framework is also one of the best security frameworks around. It can be used to protect any type of data in a small business – including customer, credit card, and business data. Following it will help keep your organization safe from cyber threats and regulators.
Will following the NIST 800-171 guarantee that you will stay out of legal trouble? No, only following the cyber regulations that apply to your industry can do that.
However, in a hailstorm of cyber regulation, the NIST guidelines can give you a solid shelter to protect your network. The winds of the storm will shift and blow, and your network will be on solid ground.
The full name of the framework is a mouthful:
NIST Special Publication 800-171 - Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
The 77-page document is derived mostly from the much larger NIST framework known as SP 800-53. That 462-page behemoth is a framework for protecting federal systems.
The lighter, yet still effective, NIST 800-171 focuses on 14 key components of network security, which we outline below.
1) Access control – Particularly in regards to limiting access to authorized users and their devices as well as the activities users can engage in online.
2) Awareness and Training – NIST-800-171 holds you responsible for teaching company employees about security policies, standards, and procedures. Users should also be informed on how their online activities can endanger the company’s network security.
3) Audit and Accountability – The rule also states that you should be implementing and maintaining an audit system that evaluates and reports illegal or otherwise unapproved user activity.
4) Configuration Management – Network security providers will need to consistently monitor and limit programs installed by employees.
5) Identification and Authentication – Authenticating users while introducing stricter policies when it comes to the reuse and inactivity of identifiers can help ward off inside security threats.
6) Incident Response – A company response to an incident should be developed and practiced well before a threat presents itself.
7) Maintenance – As always, maintenance on information systems should be conducted on a regular basis.
8) Media Protection – Sanitize, sanitize, sanitize. Correctly storing and disposing of physical and digital media is crucial to keeping sensitive data and security vulnerabilities private.
9) Personal Security – Personal security points to the risks associated with hiring and releasing employees from your company. Be sure to screen potential employees before allowing them to access your network, and safeguard systems against terminated employees who may have had access to sensitive information.
10) Physical Protection – The physical security of your network is just as important as virtual security. Keeping an eye on access devices is just another way to cushion your security plan.
11) Risk Assessment – Stay on top of security threats to your company by regularly monitoring potential risks.
12) Security Assessment – Just as it sounds, security assessment keys in on the ways in which you should be finding, evaluating and reworking weaknesses in your information systems’ protection.
13) System and Communications Protection – Keeping a close eye on communications traveling internally and externally is a must when creating a network security plan.
14) System and Information Integrity – And lastly, don’t neglect to protect your systems against malicious code.
Using NIST 800-171 as a starting point is a great way to buff up your company’s policies, and it also serves as a natural introduction to the information found in NIST 800-53.
For more information on NIST 800-171 or NIST 800-53, check the resources at NIST.gov.
Employing these policies in your company may take time, but by using the very guidelines and regulations supplied and followed by the federal government, you only set your company and your clients up for success in the future.