Compliance

Dictionaries define compliance.  Business define compliance.  We have our personal interpretations of compliance.  To me, it means:

Following what is recommended to achieve a similar result.

In life, there are always people willing to tell you what to do and how to do it. IT security is no different, so get over it.  You may think you know everything, but for once, please be humble enough to just listen.  In this topic, I will be writing about the Department of Commerce, the division known as NIST (National Institute of Standards and Technology) and why they are one of the most relevant organizations in our lives.

Step #1:  Perform your own internet search on NIST and its history

 

Step #2: Be very glad that they exist.

OK, all kidding aside.  NIST was created to maintain standards.  How long is a foot, a mile?  What does the official pound weigh?  What is the correct Time?  This stuff really matters as it is the cornerstone of all society.

In their computer division, they also created a series of security standards.  But it’s not all about computers, security starts with people.  In this series of articles I’m going to attempt to explain the computer security standards as laid out by NIST and the compliance models that are associated to them and why they are relevant.

So as  Bette Davis said, “Fasten your seatbelts, it’s going to be a bumpy night.”

 

-Dave

The IT Guy

Advertisements

NIST. A nerd’s dream come true.

Introduction

Welcome back.  The next part of the series will be about the organization of the NIST site and what to look for.  The fact to keep in mind is that Cyber Security is ever-evolving.  threats change constantly and to combat (or mitigate) those threats and risks, the responses have to change too.  This is VERY similar to biology and viruses, consider them the same.

Publications

The NIST site is organizated along different publication types and yes, I’m taking the following directly from their site.

  • Federal Information Processing Standards (FIPS) Publications are standards issued by NIST after approval by the Secretary of Commerce pursuant to the Federal Information Security Management Act (FISMA).
  • Special Publications (SP)
    • SP 800, Computer Security (December 1990-present):
      NIST’s primary mode of publishing computer/cyber/information securityguidelines, recommendations and reference materials
      (SP 800s are also searchable in the NIST Library Catalog);
    • SP 1800, NIST Cybersecurity Practice Guides (2015-present):  A new subseries created to complement the SP 800s; targets specific cybersecurity challenges in the public and private sectors; practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity;
    • SP 500, Computer Systems Technology (January 1977-present): A general IT subseries used more broadly by NIST’s Information Technology Laboratory (ITL), this page lists selected SP 500s related to NIST’s computer security efforts. (Prior to the SP 800 subseries, NIST used the SP 500 subseries for computer security publications; seeArchived NIST SPs for a list.)
  • NIST Internal or Interagency Reports (NISTIRs) describe research of a technical nature of interest to a specialized audience. The series includes interim or final reports on work performed by NIST for outside sponsors (both government and nongovernment). NISTIRs may also report results of NIST projects of transitory or limited interest, including those that will be published subsequently in more comprehensive form.

Sounds scary?  Like a mountain of documents in government speak about security?

Navigating the documents

There is a path to this madness, but there is also a shortcut that will get you to the same place.  First of all all the documents are in a PDF format and you don’t have to pay for them.  The US taxpayers already did that.  Security guidelines are and should be free as these are just guidelines.

First of all navigate to the NIST SPECIAL PUBLICATIONS (SP) and download 3 PDF files.

  • SP800-53 Rev 4.  Security and Privacy Controls for Federal Information Systems and Organizations
  • SP800-53 A rev 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
  • SP800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

These 3 publications contain over 90% of what is needed to establish and maintain an effective cyber security program.  Hundreds of pages, months of work.

or.

Using SP171 as a starting point, everything is considered to be NIST Moderate (due to high water mark principle).  Design you own security controls around the NIST Moderate level.  800-53 will instruct you what to do and 800-53 A (A is for audit) will give you the guidelines on how to measure your control to determins if they are effective in design and implementation.

A security program

The traditional program of project management to implementation won’t work in Security.  NIST is designed around “Control Families”, 18 in all.  In the NIST site, there are specific SP docs that relate to a control family.  Don’t get too hung up about the specifics of the control family as there are a lot of overlap in the SP documents and 1 SP doc may relate to all control families.

800-53 R4 has references to consult witht he FIPS -199 doc when implementing a RMF (Risk Management Framework) process.  Simply the RMF process is like the PMO (plan, Do, check, Act) approach or any other SDLC process.  RMF just formalizes the steps and documents to follow at each step.  Again THIS IS A GUIDELINE!

The end goal for all of this is to ensure that NOTHING IS DONE IN SECRET, implementations, updrages, and patch management is ALWAYS done with management knowledge and approvals.  This goes down to the code reviews, testing plans and implementation schedules.

  • is it cumbersome? yes!
  • is it a ridicilous amount of approvals? yes!
  • and it needs to be.

Because if you have implemented the Moderate NIST guidelines and have management approvals at each step, you can demonstrate that you have effective controls over your computer systems.  Make the bad guy work harder, don’t just hand them the keys.

 

An outlet

Introduction

I’m writing this more for an outlet than anything else.  I’m an IT Guy with over 30 years in the field.  I earned an B.S. in Computer Science, an MA in Information Systems Management and certificates of (ITIL, CISSP, and CISA), so I have a general understanding of what I ‘m talking about.  Early on I had to make a choice between a creative or technical path.  I chose the technical, but always stayed in touch with the creative.  Today I don’t regret the choices I’ve made, just question them as in “What the heck was I thinking”?

Today I work for a fortune 100 company with specific responsibilities in IT Security and regulatory compliance, specifically with NIST and other federal agencies.  My function is sort of Rosetta stone of translation.  Translate Fed-Speak into policies, procedures and action.

I hate the modern-day auditing function.  It is not helpful at all and effectively allows summary judgements to be levied by without reproach.  The management functions are punitive and fearful that passing an audit is all they really care about.  Business management are scared and generally feel that having a box checked as ‘complete’ is some magic shield from which no harm will come.

My own opinion is that the Internal Audit function should be a partner to the business and act in a consultant capacity instead of judge, jury and executioner.   They should be the teacher and the strategic leader from which new and better cyber security initiatives rise from.  That’s what I do.

History

Before 2002 every Federal agency had their own IT staff, policies, procedures.  It was a huge waste of money but it worked at the time.  In 2002, the FISMA (Federal Information Security Act) was signed into law.  This authorized the branch of the Department of Commerce known as the National Institute of Standards and Technology as the sole source of US Federal computer security guidelines.  This wasn’t something that was created overnight, NIST developed computer security guidelines since the 1970’s.  The law was the way that the US went from a patchwork of independent practices to one way to do it.  This quietly did somethign that was rarely done before.  It streamlined a government process.

Within NIST, there are many departments and divisions.  The one that I am going to write about is the “Computer Security Division”.  Keep in mind that you will not learn something super secret here, just how to do things better.  Within the Computer Security Division there is the Computer Security Resource Center which I have linked to their website.  This is where we will continue from the next time.