Part 3: Essential Information Security Policies
Now that you have an understanding of the rules, what systems must be covered and security tools you can use to comply, it’s time to consider policies. Keep in mind that your investment in security tools can be rendered useless without appropriate policies and training in place to require that employees use them.
Policy Manual (NIST Category 2)
A good policy manual should address all 14 categories. You need to provide written policies and formal training. This includes training for new employees (based on role) with annual refresher training on key items for all employees. Review and update policies at least annually. Review and update training at least annually. Roll out training on new topics or revised policies as appropriate.
Review Access Control (NIST Category 9)
Review access control requests when received and at least annually. Does the person have a valid need-to-know or need-to-access requirement? Perform background checks as appropriate for positions with advanced level of access or responsibility.
Tips: Review access membership lists at least annually for continued need-to-know. Have terminated employees been removed or had their accounts deactivated?
Physical security (NIST Category 1, 5, 8, 10)
Limit access to facilities, servers, and systems. Have separate locks on server rooms. Have a visitor policy with sign-in, sign-out, and unique badges.
Password Management (NIST Category 5)
Password management is so important that it falls into both tools and policies.
Tips: Force system password changes every 30-90 days. For very secure or sensitive information, require more frequent password changes. Require multi-factor authentication for new devices or sensitive systems. Set system requirements for secure passwords (upper, lower, number, and symbol) and do not all reuse of passwords or creation of sequential passwords.
Multi-factor Authentication (NIST Category 5)
As discussed above, MFA helps prevent unauthorized access by requiring multiple types of identification. In addition to a username and password, it requires a third piece of information such as a text code (to your phone or mobile device), digital certificate, CAC or “smart” card, one-time password (from a fob), or biometric such as figure print or retina scan.
Tip: Have a policy requiring MFA use on specific accounts/services and recommend its use on all possible accounts/services. Enable MFA on every account possible.
Audit, Risk, Configuration Management and Security
Audit, risk, configuration management, and security may be a combined effort. Guidelines are outlined in NIST Special Publication 800-53 (Rev. 4): Security Controls and Assessment Procedures for Federal Information Systems and Organizations.
Audit and Accountability (NIST Category 3)
You audit and accountability policy should address purpose, scope, roles and responsibilities, and compliance. In addition, it should contain guidance for implementation of the audit and accountability policy and associated management controls.
Tip: Include provisions for internal and external audits.
Risk Assessment (NIST Category 11)
Your policy should outline requirements for risk assessments, including the likelihood and magnitude of potential harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the information system and the information it processes, stores, or transmits.
Tip: Update the risk assessment procedures whenever there are significant changes to the information system or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security of the system. This should be done at least annually.
Configuration Management (NIST Category 4)
Configuration Management is a discipline designed to ensure that the configuration of an item (and its components) is known and documented, and that all subsequent changes to it are controlled and tracked.
Your policy must outline procedures for keeping track of hardware and software, including who has responsibility for tracking, how they will track possession of equipment and the software installed on each machine, and how they will ensure that users have limited ability to download and install software. It must include a defined list of preapproved software as well as a formal process for requesting and vetting new software.
Tip: Document, document, document. Then spot check to make sure everything is being documented.
Security Assessment (NIST Category 12)
Your security assessment policy should document your existing controls and outline procedures for testing their effectiveness.
Tip: Include a requirement for spot checks on controls. These should be unannounced “audits.” See if an unauthorized user can gain access to a facility, server, folder, or file.
Incident Response (NIST Category 6)
Your policy should document an incident response process that outlines roles, responsibilities and procedures. Incident response should include or be coordinated with your disaster recovery plan. With government contracts and data breaches, there are specific reporting requirements.
Tip: Your response plan must specify how you are notified internally, who you need to notify exterrnally and how (such as customers and government entities), response times, and public relations outreach. For government contractors, one of the first calls should go to the contracting agency. Openness and transparency are the best policy.
In Conclusion: One Step at a Time
We’ve covered a lot of ground in the past three blog posts, including:
- Federal information security requirements
- What hardware, software and online resources must be secured
- Available security tools
- Essential policies and procedures
That’s a lot for any small business owner to take in! With the December 31 deadline looming, however, inaction or delay are no longer options.
My recommendation is to divide your compliance efforts into manageable steps. Begin with an assessment of where you stand as far as meeting each of the NIST requirements, then develop a plan for compliance in each area. Assign responsibilities and deadlines, and call in help as you need it.
As always, if you have questions about information security or any other aspect of government contract compliance, you can reach me at firstname.lastname@example.org or by ccalling(614) 556-4415.