Five Best Practices from NIST 800-53
In April 2013, NIST made the final updates to their complete catalog of information security requirements, Special Publication 800-53 Revision 4 – Security and Privacy Controls for Federal Information Systems and Organizations. The catalog is BIG – it contains hundreds of information security and data privacy requirements organized into 17 different topic categories. Each category is called a “family”, and covers a key information security topic such as access control (AC), incident response (IR) or physical security (PE).
For people not familiar with FISMA or NIST, this document is essentially the security “encyclopedia” for how to protect systems and organizations. As such, even organizations that are not required to comply with federal information security laws still reference the NIST standards for guidance on all things security.
So what does NIST SP 800-53 say about written information security policies? In this article we take a slice through the outline and pull out the requirements as they relate to information security policies. For this article, we will use the NIST family Access Control (AC) as a working example. The result is a list of five key principles of information security policies according to NIST:
1: Written information security policies and procedures are essential
The first control in every domain is a requirement to have written information security policies. The specific requirement says:
The organization Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: (1) An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
Notice the term “documents”. This implies that policies need to be written down. While this seems obvious, many organization still fall short in documenting their specific security policies. (This is often sites as the greatest deficiency when audits are conducted for HIPAA/HiTECH by the OCR.) The second part calls for written procedures to support the policy:
(2) Procedures to facilitate the implementation of the access control policy and associated access controls; and
Each of the 17 other control categories (or families) follows the same format, with the first requirement always calling for written for policies and procedures. What this also implies is that the policy document for each section covers the key controls required for that domain. For example, within Access Control (AC), your Access Control Security Policies could cover: Account management (AC-2), access enforcement (AC-3), information flow enforcement (AC-4), separation of duties (AC-5) and so on. While NIST also specified a minimum set of these controls, the typical organization may choose a smaller subset. But the structure can remain the same – one or more policy statements for each topic.
2: Security policy documents must have a defined structure
NIST SP 800-53 also goes into detail about what needs to be covered within the security policies. The requirement for an Access Control Policy specifies that the organization develop:
(1) An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
For example, each document should cover the “scope” of the organization or systems that the policy applies to. It should also include references to specific organizational roles required to take action as part of the policy. To address these requirements, each policy and procedure document should have a standard format with sections addressing each of these required areas. A standard format not only speeds up the review and update cycle, it helps the written information security policies integrated with other standard corporate policies. A similar standard format is built into each of the 30 sample policy documents included within Information Security Policies Made Easy.
3: Security policies must be periodically updated
The NIST guidance is once again very specific about this requirement. Written information security policies and procedures need to updates to reflect the latest changes in the organization.
The organization: (b) Reviews and updates the current: (1) Access control policy [Assignment: organization-defined frequency]; and (2) Access control procedures [Assignment: organization-defined frequency].
Notice that the requirement allows the organization to set a specific time-period or frequency for updates. A common time period is annually for information security policies. Information security procedures can be updated at the same period or triggered as part of a policy update. For example, the organization may update the Employment Termination Procedure to reflect new requirements, but the Personnel Security Policy that requires this procedure can remain unchanged.
4: Security policies must be distributed to the organization
Information security policies and procedures are not effective unless the drive organizational behavior. To do this, policy and procedure documents need to be distributed to the users in the organization so they can be read and understood.
The organization Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
Some other implied requirements come from the need to “disseminate.” First, organizations should target specific policies to user groups and roles within the organization. For example, all users do not need to be aware of the contents of the Network Security Policy, while all users should know how to safely use the internet and email. Another implied requirement is that these documents are understood. The organization should perform due-diligence in educating users on the security requirements of their jobs, including the information security policies and procedures that apply to them.
5: Security policies must be managed with a defined process
The previous four elements lead up to this key requirement: Organizations must establish a formal management process for information security documents. This requires that the organization treat information security policy documentation as an ongoing project, not a one-time event. This implies several other requirements, such as assigning ownership to each policy document and to the entire policy management process. How can an organization possibly manage the specific security policy elements – including reviewing, management commitment, coordination and compliance – without a management process? Sadly, this is where many organizations fail. The development of information security policies is delegating to a single individual as a part-time project with minimum visibility into management, rather than being treated as a project that requires funding and resources. While this approach may get the organization by, it usually fails after the first major audit. As always, up-to-date information security policies are key pieces of evidence to support due-diligence.
While your organization may not be required to comply with FISMA, the NIST family of publications can provide excellent guidance on developing and managing an information security program. When it comes to written information security policies, the message is clear: Security and privacy policies need to be living documents.
Example: The full catalog listing for AC-1 within NIST SP 800-53.
AC-1 ACCESS CONTROL POLICY AND PROCEDURES
Control: The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
- Access control policy [Assignment: organization-defined frequency]; and
- Access control procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100.
Priority and Baseline Allocation:
P1 LOW AC-1 MOD AC-1