NIST 800-171 Framework
1. Access Control
Access Control defines the ability to make use of any system resource. Who has the authorization to view this data?
2. Awareness and Training
Awareness and Training shows system users their security responsibilities and provides continuous education around correct security practices. The training helps change user’s behavior. It also supports individual accountability, which is one of the most important ways to improve information security and prevent a data breach. Without knowing the necessary security measures or how to use them, users cannot be truly accountable for their actions. The purpose of information security awareness, training, and education is to enhance cybersecurity compliance by educating users on best practices.
3. Audit and Accountability
Audit and Accountability assesses the adequacy of cybersecurity requirements and ensures compliance with established policies and operational procedures. An audit trail is a way of recording individuals who have accessed a system and operations that the user has performed during a given period. Audit trails are helpful. They maintain a record of system activity both by system user activity of systems and applications. Examples of audit and accountability requirements include audit events, time stamps, nonrepudiation, protection of audit information, audit record retention, and session audit. Companies should create, protect, and retain system audit records to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate system activity and ensure that actions of users can be uniquely traced to those users so they can be held accountable.
4. Configuration management
Configuration management focuses on the integrity of information technology systems through the control of processes for initializing, changing, and monitoring the configurations of those products and systems throughout the System Development Life Cycle (SDLC). It establishes the development and implementation of a system to include security, and sets out a path for governance of any changes through a change control board.
Identification is the means of verifying the identity of a user, process, or device, typically as a prerequisite for granting access to resources in a system. Both identification and authentication provide a technical structure that prevents unauthorized individuals or processes from entering a system. This is critical as it provides the basis for access control and for establishing user accountability. Authentication may be established in a variety of ways such as passwords, biometrics, and physical tokens (e.g. ID card.)
6. Incident Response
Incident Response defines how an organization responds in a coordinated manner to a cyber attack. Planning for incidents closely resembles contingency planning focused on reacting quickly to disruptive events. Incident response for cybersecurity incidents/breaches are very broad in scope and should be tailored to the appropriate level of potential disruption.
Maintenance is developing processes and procedures to ensure a system and/or infrastructure operates in good working order.
8. Media protection
Media protection involves the defense of system media, such as external/removable hard disk drives, flash drives, compact disks, and digital video disks. These protections should focus on restricting restrict access to the appropriate authorized levels. This also includes physically controlling system media and ensuring accountability, as well as restricting mobile devices capable of storing and carrying information into or outside of restricted areas.
9. Physical Security
Physical Security relates to the physical and environmental security measures taken to protect systems, buildings, and related supporting infrastructure against threats associated with their physical environment.
10. Personnel Security
Personnel Security involves users, designers, implementers, and managers. It defines how these individuals interact with the system and the level of access they need to do their jobs. That level of access directly impacts the system’s security posture. The focus is to minimize the risk that staff (permanent, temporary, or contractor) pose to company assets through the malicious use or exploitation of their legitimate access to the company’s resources.
11. Risk Assessment
A risk assessment identifies how vulnerabilities may compromise the confidentiality, integrity, or availability of the information being processed, stored, or transmitted by those systems. These assessments should inform company decision-makers and support risk responses by identifying relevant threats to organizations or threats directed through organizations against other organizations, vulnerabilities both internal and external to organizations, impact (i.e., harm) to the company that may occur given the potential for threats exploiting vulnerabilities, and the likelihood that harm will occur.
12. Security assessment
Security assessment focuses on the testing and/or evaluation of the management, operational, and technical security requirements on a system. It is designed to identify if the security structure is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. This protection provides an array of safeguards for the system. Some of the requirements in this family address the confidentiality information at rest and in transit. Providing this type of protection prevents the presentation of system management-related functionality on an interface for non-privileged users.
13. System and communications protection
System and communications protection also establishes boundaries that restrict access to publicly accessible information within a system. Using boundary protections, a company can monitor and control communications at external boundaries as well as key internal boundaries within the system. Examples of system and communication protection requirements include application partitioning, denial of service protection, boundary protection, trusted path, mobile code, session authenticity, thin nodes, honeypots, transmission confidentiality and integrity, operations security, protection of information at rest and in transit, and usage restrictions. These requirements focus on guarding against improper information modification or destruction and includes ensuring information nonrepudiation and authenticity. At it’s core it focuses on ensuring that data can only be accessed or modified by the authorized employees.
14. System and Information Integrity
System and Information Integrity. At it’s core the focus here is preventing improper information modification or destruction. This also includes ensuring information authenticity. Successful system and information integrity lies in ensuring that data can only be accessed or modified by authorized employees. In doing so, an organization is provided assurance that the information being accessed has not been impacted with or damaged by an error in the system. Some notable examples include flaw remediation, malicious code protection, security function verification, information input validation, error handling, non-persistence, and memory protection.