National Institute of Standards and Technology issues a new draft of its influential publication and privacy controls for information systems and organisations
August 18, 2017 |
The National Institute of Standards and Technology (“NIST”) produces excellent technical publications on data security and privacy which have wide application throughout both the US Government but also many organisations. It is in many ways the gold standard. That is not to detract from the Australian Government Information Security Manual which is an excellent resource but not used nearly enough by practitioners in the data security field.
The NIST has announced the release of its new revision of Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. What is notable about this publication is that it is now focused on both Government and private systems. The NIST is providing a resource to assist any organisation, or person, to maintain security and privacy with their internet systems and the internet of things. The internet of things, with its myriad of potential security problems, requires particular attention in establishing proper data security and privacy protections. Privacy and data security relates to personal information irrespective of where that information is collected and stored. The internet of things accelerates the collection of data. Unfortunately many interconnected devices are poorly served by the security systems with poor or non existent password protections, lack of encryption and generally easy to penetrate data security programs.
At 494 pages the Publication is more than an afternoon’s read. But it is worth reading.
The media release provides:
Information systems—from communications platforms to internet-connected devices—require both security and privacy safeguards to work successfully and protect users in our increasingly complex and interconnected world.
Toward these ends, the National Institute of Standards and Technology (NIST) has issued a new draft revision of its widely used Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. Developed by a joint task force consisting of representatives of the civil, defense and intelligence communities, the draft fifth revision of SP 800-53 (link is external) represents an ongoing effort to produce a unified information security framework for the federal government.
However, the latest draft goes beyond both information security and the federal government to address ways all kinds of organizations can maintain security and privacy in their interconnected systems.
Revision 5 “takes the guidance in new directions—we are crafting the next-generation catalog of controls that can also be applied to secure the Internet of Things,” said Ron Ross, NIST fellow and team leader of the joint task force that wrote the updated publication. Controls are security and privacy safeguards—both technical and procedural—designed to protect systems, organizations and individuals.
Privacy is now fully integrated throughout the new draft, a first for any control catalog. “This revision covers the overlap in security and privacy for systems, as well as the ways in which they are distinct,” said NIST senior privacy policy advisor Naomi Lefkovitz. “It also enhances the ability for both professional teams to collaborate yet still maintain their respective authorities.” SP 800-53 Revision 5 adds two new control families that focus solely on privacy; the remaining privacy controls are integrated throughout the rest of the control families.
For example, one privacy control addresses the data captured by sensors such as those used in traffic-monitoring cameras in smart cities. The control advises configuring such sensors in a way that minimizes their capturing data about individuals that’s not necessary for the traffic-monitoring system to carry out its function.
While previous versions targeted federal agencies, other organizations, particularly industry, are voluntarily adopting SP 800-53. The controls have been updated to address the needs of the more diverse user group, including enterprise-level security and privacy professionals, component product developers, and systems engineers who are now working on privacy and security.
For example, an IT system may employ cameras. Security experts determine security controls for the camera sensor, while privacy professionals decide on privacy controls such as a control to preserve a passerby’s privacy. Also, the control selection process is now separated from the security control catalog and included in the NIST Risk Management Framework, described in NIST Special Publication 800-37 (link is external), so that organizations outside of the federal government can more easily use the NIST controls with the frameworks they currently use, such as ISO 270001 and the Framework for Improving Critical Infrastructure Cybersecurity, also known as the Cybersecurity Framework.
[…] National Institute of Standards and Technology issues a new draft of its influential publication and… […]