In case you missed it, the National Institute of Standards and Technologies (NIST) published a new guideline “An Introduction to Information Security” for individuals looking to get a better understanding of introductory information security best practices.
The guide is a good high level overview of information security principles and is targeted at those new to information security.
The NIST Special Publication 800-12 Revision 1, “An Introduction to Information Security,” provides a nice high level summary of important and valuable security program elements and guidelines for those new to or even experienced in the field of information security, such as:
- Information security terminology
- Important laws and regulations
- NIST publications
- Elements of information security
- Overview of threats and vulnerabilities
- Information policies
- Information Security risk management
- System support and operations security
- Uses of cryptography
- Control families.
I have summarized some of the key features from the nearly 100 page NIST document below.
Update: this article has been updated to reflect NIST SP 800-12 is now effective and published as of June and is no longer Draft.
1 – Information security terminology
Chapter 1 of the NIST guide starts with important terminology to include confidentiality, integrity, availability, and security controls to name a few of the foundational and important terms below (with NIST definitions for each of them).
Confidentiality: “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.”
Integrity: “Guarding against improper information modification or destruction and ensuring information non-repudiation and authenticity.” This also includes systems and data integrity.
Availability: “Ensuring timely and reliable access to and use of information.”
Security Controls: “The safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.”
You can also check out our own list of security topics here.
2 – Important laws and regulations
Why do we need information security? In addition to the critical need to protect your organization’s brand reputation and against financial harm, information security is also necessary to meet local regulations and legal requirements.
NIST provides a good legal foundation for information security programs. Such laws and regulations mandate federal departments and agencies to protect their systems.
A brief history of some of the laws and regulations are listed here.
The Computer Act of 1987 (superseded by FISMA): “Required agencies to identify sensitive systems, conduct computer security training, and develop computer security plans.”
Federal Information Security Management Act (FISMA): “Enacted as part of the E-Government Act of 2002 to address specific information security needs, which include, but are not limited to, providing: a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets; and the development and maintenance of minimum controls required to protect federal information and systems (as written in SEC. 301 of Public Law 107-347).”
The Federal Information Security Modernization Act of 2014: “An amendment to FISMA that made several modifications to modernize federal security practices as well as promote and strengthen the use of continuous monitoring.”
OMB Circular A-130: “Requires that federal agencies establish information security and privacy programs containing specified elements.”
NIST goes on to say that the list is not meant to be an exhaustive list. There are other laws also critical to organizations depending on the type of data they store, access or share. Examples include The Health Insurance Portability and Accountability (HIPPA) Act, which protects the privacy and security of health information as well as The Sarbanes-Oxley (SOX) Act, which provides protections to the general public from accounting errors and fraudulent practices in financial systems.
3 – Related NIST publications
For years, NIST has published a series of Federal Information Processing Standards (FIPS) and Special Publications (SPs) used for more specific standards and guidelines on information security and risk management, such as a few examples listed below.
FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems): “Lists standards for the categorization of information and systems, which in turn provides a common framework and understanding of expressing security in a way that promotes effective management and consistent reporting.”
FIPS 200 (Minimum Security Requirements for Federal Information and Information Systems): “Specifies minimum security requirements for information and systems that support the executive agencies of the Federal Government as well as a risk-based process for selecting the security controls necessary to satisfy the minimum security requirements.”
SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations): “Provides guidelines for selecting and specifying security controls for organizations and systems supporting the executive agencies of the Federal Government to meet the requirements of FIPS Publication 200.”
You can also check out our complete list of standards and guidelines in Securezoo’s Standards site as well.
4 – Elements of Information Security
NIST offers eight major elements that make up information security and why the concepts are so important.
In summary, information security:
- Supports the organization’s mission – well chosen security controls and procedures is vital to protect the organization’s information assets, reputation, legal position and personnel to name a few. IT system breaches, malware and insider threats can have negative consequences to profitability and reputation.
- Is integral to sound management – management needs to strike a balance between information security protections and cost of implementing security controls. This is especially true since risk can’t be completely eliminated and investment resources are limited. Management is ultimately responsible for acceptable level of risk. Management’s responsibility also extend to third party connected systems such as Cloud Service Providers (CSPs), and ensuring such providers have appropriate level of security of data stored, processed or transmitted.
- Should be commensurate with risk – apply controls to organization systems commensurate with the risk and value of systems. Don’t waste resources with applying unnecessary controls that may be too difficult to maintain.
- Roles and responsibilities should be well understood – make sure roles and responsibilities for system owners, control owners, information owners information security officers and users are clear and well documented. Additional security-related roles and responsibilities for larger organizations can include, to name a few: senior information security officers, security architects, security engineers, security control assessors and system admins.
- Requires a comprehensive and integrated approach – such as defense-in-depth or multi-layered security countermeasures, such as IDS, firewalls and anti-malware controls, along with physical security controls. Understand the interdependencies of security controls and don’t just treat controls in a silo. For example, anti-virus software is used to detect malware, but should be connected to security event monitoring and logging systems that are monitored by a security operations team.
- Must be regularly assessed – information security requires continuous monitoring and assessment of new vulnerabilities and threats to be addressed and fixed on a continuous basis. Likewise, monitoring teams or individuals need to watch and respond to alerts.
- Is constrained by societal factors – people make risk-based decisions in different ways, based on societal factors. It is vital to make information security transparent and easy to understand. Organizations can use security awareness training to help mitigate nuances in risk perception. Balance between usability and information security requirements. Don’t forget employees need to protect the privacy of individuals and personal data the organization collects, uses, maintains and shares.
5 – Overview of threats and vulnerabilities
NIST describes vulnerabilities as a “weakness in an information system, system security procedures, internal controls or implementation that could be exploited by a threat source.”
Examples of adversarial threat sources and events:
- Fraud and Theft (Social media, social engineering and APTs) – for example, using fake social media accounts, cybercriminals can impersonate co-workers or customer service personnel to send fake email messages and malware links used to steal personal or sensitive information via phishing email attacks, phone calls or advanced persistent threats (APTs) as long term covert attack.
- Insider Threats – employees are more familiar with the organization’s systems and applications. Examples include employee sabotage – crashing systems planting “logic bombs” that could destroy property or systems, or deleting data.
- Malicious hacker – used to describe outside attackers, bot net operators, criminal groups, foreign intelligence services, insiders, phishers, spammers, spyware/malware authors, terrorists and industrial spies.
- Malicious code – “refers to viruses, trojan horses, worms, logic bombs, and any other foreign software that can be used to attack a platform.”
- Non-adversarial threats – can include errors and omissions, loss of physical and infrastructure support and impacts to personal privacy and information sharing.
6 – Information Policies
Information policies, standards, guidelines and procedures are all important components of an organization’s information security program, as described below.
Information Security Policy – as defined by NIST is “as an aggregate of directives, regulations, rules, and practices that prescribes how an organization manages, protects, and distributes information.”
Standards and Guidelines – specify more detailed technologies and methodologies to secure systems (such as system hardening standards for servers and desktops). Standards ensure uniform use of specific technologies in the organization.
Procedures – detailed steps to meet security objectives and standards.
A few examples of important policies that organizations should develop include but not limited to “issue-specific” policies:
- Internet access acceptable use
- Email privacy (clarify what information is collected and monitored)
- Bring your own device (BYOD)
- Social media.
7 – Information Security risk management
As defined by NIST, risk is “a measure of the extent an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.”
Further, risk management is defined as “the process of minimizing risks to organizational operations (e.g., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation resulting from the operation of a system.”
NIST provides a Risk Management Framework (RMF) that consists of six steps in risk management process to include:
- Security categorization – focuses on categorization of system (see FIPS 199 and SP 800-60).
- Select an initial set of baseline security controls (see SP 800-53 and FIPS 200).
- Implement security controls.
- Assess security controls.
- Authorize systems to operate based on results of assessment
- Continuously monitor controls to ensure effectiveness.
8 – Assurance
According to NIST, information assurance is “the degree of confidence one has that security measures protect and defend information and systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of systems by incorporating protection, detection, and reaction capabilities.”
Assurance includes, but is not limited to:
- Authorization – such as authorization of system.
- Security engineering – such as building trustworthy and resilient systems).
- Operational assurance – such as assessments, audit methods, automated tools for vulnerability scans and virus scanners, penetration tests, configuration management.
9 – System support and operations security
According to NIST, the primary goal of system support and operations security is “the continued and correct operation of the system, whereas the information security goals of a system include confidentiality, availability, and integrity.”
Examples of system support and operations security include but not limited to:
- User support – such as help desk and operations staff.
- Software support – such as control of what software is used on systems to reduce chance of system vulnerabilities and viruses.
- Configuration Management – such as the process of tracking and approving changes to systems; ensure software has not been modified by unauthorized individuals.
- Backups – critical to contingency planning.
- Media controls – such as security and prevention of unauthorized access to electronic media (removable media, hard disk drives, flash drives) and non-digital (paper, microfilm).
- Documentation – formalize operations practices and procedures; eliminate security lapses and ensure quality assurance.
- Maintenance – properly maintain and repair systems.
10 – Uses of cryptography
According to NIST, cryptography “is used to protect data both inside and outside the boundaries of a system. Data within a system may be sufficiently protected with logical and physical access controls supplemented by cryptography.”
A few examples of cryptography (with definitions defined by NIST) include:
- Encryption: “One of the best ways to obtain cost-effective data confidentiality is through the use of encryption. Encryption transforms intelligible data, called plaintext, into an unintelligible form, called cipher text. This is reversed through the process of decryption. Once data is encrypted, the cipher text does not have to be protected against disclosure.”
- Integrity: “A property whereby data has not been altered in an unauthorized manner since it was created, transmitted, or stored.”
- Electronic signatures: “The electronic equivalent of a written signature that can be recognized as having the same legal status as a written signature. In addition, to the integrity protections discussed above, cryptography can provide a means of linking a document with a particular person, as is done with a written signature. Electronic signatures can use either secret key or public key cryptography. However, public key methods are generally easier to use.”
- Key management: includes “the procedures and protocols, both manual and automated, used throughout the entire life cycle of the keys. This includes the generation, distribution, storage, entry, use, destruction, and archiving of cryptographic keys.”
11 – Control families
NIST provides an excellent list of security controls grouped into 18 families or categories.
The NIST control families include:
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Security Assessment and Authorization (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environmental Security (PE)
- Planning (PL)
- Personnel Security (PS)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
- System and Communication Protection (SC)
- System and Information Integrity (SI)
- Program Management (PM)
A complete catalog of the security controls is also available in SP 800-53, which can also be found on our Standards site.
That wraps up our summary of important features from NIST’s Introduction to Information Security guideline. I hope this is useful whether you are just starting out in information security or a seasoned professional.