OUR THOUGHTS ON:

Updates to NIST Special Publication 800-53 Revision 4

Risk Advisory/Internal Audit

By Eric Fair

Last month the National Institute of Standards and Technology (NIST) released an updated version of Special Publication 800-53, Revision 4, which represents the most comprehensive update to the security controls since its development in 2005. The guidance for this revision was collaboratively provided by NIST, the Department of Defense, the Intelligence Community, and the Committee on National Security Systems due to the advances and increased threats in mobility, cloud computing, social networking, advanced persistent threats, insider and disruptive distributed denial of service attacks, applications security, assurance, and trustworthiness. As a result, well-thought-out security controls and control enhancements have been developed and incorporated into the guidance to address such prominent and increasingly significant areas. The publication has been strengthened to include more than 200 new controls and control enhancements, with more descriptive language, including new “Privacy” (now contained within the publication’s title) controls and implementation guidance based on the internationally accepted “Fair Information Practice Principles.”

The guidance provides a means to help senior leaders determine essential security and privacy controls for helping organizations remain prepared for cyber attacks and other advanced security threats. The guidance also provides suggestions for a number of continuous monitoring controls. Continuous monitoring controls provide near real-time information for senior members of management. These types of controls can help make ongoing risk-based decisions for the critical business functions within various organizations. Overlays, also introduced within this revision, provide a structured approach to help organizations customize security control baselines for specific sectors (i.e., government, financial, and healthcare). These overlays assist in the development of security plans for the critical business functions and surrounding technologies. Tying into the overlays are assumptions, which have also been added to this revision. Assumptions relate to the development of security control baselines and updated customization guidance. Additional elements that have been added include:

• Additional assignment and selection statements over security and privacy controls;
• Descriptive names for security and privacy control enhancements;
• Consolidated tables for security controls and control enhancements (by family with baseline allocations);
• Tables for security controls that support development, evaluation, and operational assurance; and
• Table mapping for international security standard ISO/IEC15408.

Further details surrounding the changes to the security controls and security control baselines can be viewed within the markup version of SP 800-53, Revision 4 located here.

If you have additional questions surrounding NIST guidelines or how to best implement them in your organization, please contact Eric Wright (412-697-5328 | ewright@schneiderdowns.com).

References:
http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf
http://www.bankinfosecurity.com/blogs/previewing-nists-catalogue-controls-p-1380/op-1


© 2013 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2018 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

comments