A Sustainable and Efficient Way to Meet Client’s Growing Security Expectations 

 

Achieving Holistic Security Compliance With NIST SP 800-53

Download Article Article in Digital Form

Regulatory compliance continues to grow and is here to stay. As big corporations come to terms with the new realities of compliance, their response to noncompliant vendors will be ruthless. Enterprises that want or have big corporations as clients must include compliance as an integral part of their business model. The challenge is to integrate it without losing their agile service and cost-effective structure. NIST SP 800-53,1 an information security model developed by the US National Institute of Standards and Technology (NIST), can be a useful guide for service providers to build their security posture.

Security breaches, and the fundamental flaws they bring to light, are becoming more numerous and more complicated with each passing year. Each technological advancement brings new security vulnerabilities in its wake, and many, after following a tortuous path, end with a regulatory requirement in one form or another. While interpreting, assessing and complying with these regulatory requirements are huge hurdles for big organizations, they present an especially daunting challenge for the small and medium-sized firms that find themselves increasingly in the path of regulatory maelstroms with the potential to bring their business to a halt.

The Internet empowered entrepreneurs in ways unthinkable a mere decade ago. An innovator could, while sitting in Utah with three part-time employees (if that many), create a unique service that big corporations would beat a path to his/her (virtual) door to use. The giant companies see opportunities to leverage the tools created by these tech entrepreneurs to enrich their offerings to their customers. Today, the big banks (or manufacturers, retailers and others) use hundreds, if not thousands, of such small companies to keep their supply chain lubricated. Often, these services are white-labeled, meaning they are offered in the big corporation’s name. A logistics company uses a web service that automatically overlays delivery addresses on a map for each of its 11,000 drivers, for example. Or, a bank uses a web service that connects securely and confidentially to millions of businesses with which the bank’s customers want to transact. Or, a doctor’s office uses a web service that tracks all of its insurance payments in process and sends an alert when there is a problem.

Different innovators and different solutions that have two common threads:

  1. These disruptive technology solutions are light on footprint and heavy on innovation and value-addition.
  2. They are very inexpensive. For example, the logistics company may pay pennies per truck per day, saving more than 60 minutes of the driver’s time each day.

The Problem

Everything seems to be working well and everybody seems to be happy. The problem, however, is that third-party vendors receive, transmit, store and/or process—on the big corporation’s (i.e., client’s) behalf—information that is subject to many different regulatory controls, and the corporation is required to prove that such data are secure across the entire supply chain and not just inside its corporate walls. Based on the vendor’s role in the corporation’s supply chain, the vendor may be low, medium or high on the risk scale of the organization, and its compliance machinery starts cranking accordingly. A questionnaire with 200 to 400 questions or controls is sent to the vendor every one or two years, and the questions/controls are at a level of detail that the vendor has never thought of, let alone designed to, while developing the product or service.

The firm’s owners instinctively know that to support these requirements, they will have to build a large organization (that they do not need otherwise) and the key value proposition, “pennies per day per truck,” will evaporate.

Understanding the New Normal for Vendors

As the cost of compliance and noncompliance (i.e., penalties) mounts—from millions to hundreds of millions to even billions—big corporations are turning to their vendors to wring out that extra penny in savings. The message is: “We want more for less.”

These two factors, growing compliance mandates and growing cost of compliance, are the new normal for business, and demonstrated compliance is an integral feature of the business model for every organization—big or small—that wishes to conduct business in this environment.

The Challenge With Compliance

Most auditors understand the complexities of IT security and are able to appreciate how good the organization is and how secure the service is. But the vendor also needs to realize that the auditor has a different frame of reference. The auditor needs the vendor to demonstrate that it is compliant. This is often a tricky concept: How does an organization demonstrate its compliance? The following are examples of how to achieve this:

  1. Demonstrate an understanding of the data the organization handles and the legal implications of their misuse.
  2. Demonstrate a security culture with a high degree of consciousness among employees.
  3. Demonstrate a set of policies and procedures aimed at ensuring security.
  4. Demonstrate the compensating controls that mitigate gaps in controls.
  5. Demonstrate a security vision and a road map to achieve continuous improvement.
  6. Demonstrate adoption of security best practices in the organization.
  7. Demonstrate how the organization identifies, tracks and acts upon risk incidents.
  8. Demonstrate how the organization is engaged in the broader security community and dialog.

Large organizations build risk and compliance groups (sometimes thousands of people strong) to address these. Small and medium-sized organizations cannot afford this. Fortunately, there are many best practices and standards available worldwide that an organization can adopt to improve its security posture. An organization can achieve a quantum improvement in its security and demonstrate the same while keeping the cost within an appropriate range for small firms.

One such standard comes from NIST, a body under the US Department of Commerce. NIST is tasked with creating a technology security controls framework that all US government organizations can use to meet their security obligations. NIST has done pioneering work in this field and provides a conceptual framework that any organization can study, adopt and practice to achieve significant improvements in its security posture. NIST SP 800-53 provides a set of security controls for federal systems and NIST encourages private commercial enterprises to use it as well.

The NIST SP 800-53 Security Controls Framework

Figure 1This framework defines more than 200 individual controls spread over 18 control families (figure 1) that take care of the baseline information security requirements of an organization—large or small, private or public. It acknowledges that not every organization is large and complex enough to warrant all 200-plus controls, and that it may be beyond the technological and financial means of a small organization to simultaneously implement all of the controls. Hence, it classifies controls into three security baselines: low, moderate and high. This allows an organization to determine what security classification best fits it based on its size, complexity, supply chain, sensitivity of information handled, third-party obligations and regulatory expectations.

For example, the Access Control, one of the NIST SP 800-53 families, statement is:

The organization develops, disseminates and reviews/updates on a quarterly basis:

  1. A formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and regulatory compliance; and
  2. Formal, documented access control procedures to facilitate the implementation of the access control policy and associated access controls.

These few lines, when implemented properly, can change the way an organization faces various examinations and what its clients and auditors understand about the organization. To a security professional evaluating the organization, this means that:

  • The organization has thought about its access-control-related goals, challenges and risk, and has proactively articulated a policy in formal terms (not implicit in or implied by actions
  • The organization has a policy statement that defines:
    • The purpose behind developing such a policy
    • The scope, such as units, locations, levels of people and third parties
    • Every actor involved in the life cycle of the policy and their responsibilities
    • Management’s commitment to putting its authority behind the policy, empowering people to monitor compliance and authorizing punitive actions
  • Procedures are in place to explain how to comply with this policy under different operational scenarios in the organization, e.g., how access control is enforced under the UNIX environment, under the Windows environment, and under web and cloud environments.
  • Depending on the layers and complexity of the environment, it may create or refer to other documents such as runbooks, workflows or guidelines, in addition to the procedures documents, to make sure that the entire process is captured, documented and published for all stakeholders to understand and satisfy

An access control policy, developed as part of a comprehensive framework, puts the policy in organizational context and helps the organization be compliant and demonstrate compliance to auditors and examiners or other interested parties.

Implementation Road Map

While a framework such as NIST SP 800-53 empowers an organization to look at the total security picture, it does not warrant that the whole framework is implemented in a big bang, single-shot fashion. The organization marks the controls that seem most urgent, relevant and directly connected to what the auditors want to see. This affords the organization the ability to flexibly draw up an implementation road map for 18 to 36 months, for example, and embark on a preplanned journey. This is invaluable for knowing the total scope, stakeholders and approximate investments up front, so management knows what the organization is embarking upon without having to deal with surprises at every turn. Figure 2 illustrates an example of a NIST SP 800-53 high-level implementation road map.

Figure 2

Conclusion

The primary targets of NIST SP 800-53—the federal departments required to comply with the Federal Information Security Management Act (FISMA) information security regulations—have realized enormous gains. Furthermore, NIST SP 800-53 has been taken deeper and wider over the years to help higher-risk organizations such as utilities and defense.

Adopting such a standard not only gives a ready-made frame of reference for the organization to plan its security journey, but provides a proven, recognized prism through which the external world (comprising the organization’s clients, examiners, auditors, suppliers and other supply chain partners) can look at the organization. Small and medium-sized firms can, thus, find a balance between raising their security profile to meet client expectations and not lose their fundamental value proposition.

Organizations can get a grip on information security using NIST SP 800-53 and then leverage other specialist frameworks to improve the quality of the software development process, service delivery and other areas of work. COBIT may be used to provide the overarching guidance necessary to bring all initiatives together in a holistic and synchronized manner.

Endnote

1 NIST SP 800-53 provides the “Recommended Security Controls for Federal Information Systems and Organizations.” It is published by the National Institute of Standards and Technology, a nonregulatory body of the US Department of Commerce. NIST’s mission is to promote US innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life.

Buck Kulkarni, CISA, CGEIT, PgMP, is the founder and president of GRCBUS Inc., a technology governance and outsourcing consulting firm based in New Jersey, USA. GRCBUS’s solutions leverage COBIT as the overarching governance framework, supported by SEI, ITIL, PMBoK, ISO and NIST frameworks in their respective domains. This enables its customers to balance the technology performance expectations (service delivery, innovation and business alignment) with technology conformance mandates (risk, security, regulatory compliance and audits) in a unified, cost-efficient and sustainable manner.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2013 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.