Do NIST Information Security Standards Matter?
October 29, 2013
The National Institute of Standards and Technology (NIST) recently released its Preliminary Cybersecurity Framework with little fanfare. The initiative is a response to President Obama's cybersecurity executive order, which was issued in February due to increased fears of attacks against components of the critical infrastructure: power, transportation and telecommunications. While there are still questions regarding how much of the framework will be mandatory for private industry and exactly what will be classified as “critical infrastructure,” the larger question is how much this or other NIST standards really impact information security outside of the U.S. federal government and the CISSP test?
It’s common to hear someone in governance, risk and compliance (GRC) bring up a NIST standard when discussing the implementation of a security control. Often, it’s quoted like Holy Scripture in hushed tones, “In accordance with NIST SP800-yadda-yadda....” However, in the information security landscape, NIST is only one in a veritable sea of global standards bodies proposing guidelines and frameworks. Along with PCI-DSS, SOX, HIPAA, and international laws that mandate specific cybersecurity requirements, standards from NIST, ISO/IEC (the 27000 series), CobiT, and COSO can feel overwhelming to those unfamiliar with this esoteric part of infosec.
So what is NIST and why should we care? Originally created in 1901 because U.S. industrial infrastructure seemed to be lagging behind the rest of the world, its stated mission is to: "Promote U.S. innovation and industrial competitiveness by advancing measurement science, standards and technology in ways that enhance economic security and improve our quality of life."
Basically, NIST is where the best practice unicorns go to graze. NIST IT standards documents cover everything from managing the security of mobile devices to improving the usability of electronic health records. NIST reports and standards represent research from some of the best super nerds our tax dollars can fund. And even though you may not realize it, NIST output has helped to establish the foundation for many of the principles we use in today’s enterprise security programs.
Consider Special Publication 800-92, Guide to Computer Security Log Management from 2006:
Routine log analysis is beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems.
Not only does this document outline the basic concepts of good log correlation, it reads like a log management 101 class. You could use it to create a policy, then hand it to an infrastructure team and say, “Use this as your guide.”
[Why do we keep buying traditional security products that aren't doing much to help us manage risk? Read Michele Chubirka's analysis in "Security Snake Oil For Sale."]
Then there’s Special Publication 800-61, Computer Security Incident Handling Guide Revision 2 from 2012. If your organization doesn’t have a detailed incident response plan, you could use this document as a how-to guide for its creation. It even tells you how to build an incident response team and how to deal with media and law enforcement. This document could save your organization the money you would have spent paying a consultant to come in and write up the plan for you. Could it get any better?
And you know that inevitable pushback you get from senior management when you try to implement policies and procedures? Think of the credibility you have when referencing a document from NIST.
NIST standards and frameworks should -- and do -- have influence on information security practices outside of the federal realm. This work represents the efforts of many researchers to standardize an effective security methodology and informs many of the established policies and procedures in organizations. Although not mandatory, it pervades industry best practices and establishes the principles for proper information security practices.
The proposed cybersecurity framework is a method for managing organizational risk and a solid foundation for programmatically implementing many of those existing NIST standards. It’s like we’ve been given a gift by the federal government. Ignore it at your peril.