If you didn’t think the world of federal bureaucracy and security compliance was complicated enough, say hello to NIST Special Publication 800-53, a set of security standards and controls developed to help US federal agencies meet the requirements of the Federal Information Security Management Act (FISMA). FISMA itself is a law that outlines the security controls that agencies need to comply with in order to secure their information security programs.
Of course, NIST SP 800-53 isn’t just adopted by federal agencies today, but by private organizations looking to optimize and improve their software security posture. It contains a comprehensive list of security controls, best practices, and other guidelines to build resilient networks and software.
While the NIST SP 800-53 specifies over a thousand controls spread out across 20 control groups, each of which focus on a different aspect of security and privacy concerns. We’re going to explore each of these 20 control groups in the guide.
This is usually the first step in any security program — limiting users’ access to resources and system components. Any given user should have access only to the resources they’re authorized to interact with, and nothing more. This can go even deeper, with access control policies that specify whether a user has permissions to view, modify, or delete data on the system.
To implement access control across your network, you need to:
One of the most valuable things you can give your employees is skills. Not only does security training improve the baseline security posture across every part of your organization, it also makes process more efficient.
Instead of your dev team building software, your security team testing it and finding bugs, and your developers getting a million JIRA tickets to resolve, what if you could build software that’s secure by default?
Going further, what if all the boring, repetitive security tasks were all automated straight into the CI/CD pipeline? Your team can release faster and more securely with some skills under their belt.
AppSecEngineer offers security training for every member of your product team, from secure coding to cloud security. What’s more, our pro-level Admin Panel lets you assign, evaluate, and manage teams of any size from a single dashboard.
Book a demo and train with AppSecEngineer to get noticeable results in less than 3 months.
The next logical step for your security program is to have some visibility into your environments by performing audits across the network, and generating detailed logs and reports corresponding to event triggers.
These event logs need to be stored securely and analyzed on a regular basis to detect anomalies in the system. Here are some steps you can take to achieve this:
Two of the most important pieces of the security puzzle are analyzing your software and environments for security vulnerabilities, and monitoring your network traffic to detect suspicious activity.
These activities are essential for understanding the potential threats to your software systems, allowing you to plan out the process of identifying and fixing vulnerabilities.
Misconfigured security controls are the leading cause of vulnerabilities in cloud and containerized systems. Your organization’s security program needs to include: identifying the right set of security policies, configuring tools properly, and managing unauthorized configurations and devices.
Planning ahead isn’t just reserved for your long-term security goals. You should also have a proper game plan ready for when disaster strikes: what if a major data breach occurs, or an essential part of your network suddenly goes down? You need to have a disaster recovery plan that accounts for a variety of worst-case scenarios.
How do you ensure that a user really is who they say they are? For your access control policies to work as intended, you also need to ensure that your authentication mechanisms are secure enough to prevent an attacker from hijacking someone else’s account to gain access.
A well thought-out incident response program is designed to detect and stop/isolate a security incident or breach as early as possible. The goal is to reduce the damage an attacker can do as much as possible, if not completely prevent it. This is where network monitoring, logging, and analysis comes in handy since you can use all that historical data to set up alarms that trigger when suspicious activity is detected.
Once all your security protocols and configurations are in place, your team should go into maintenance mode. This means auditing event logs to check for anomalies, regularly updating firmware and tools, and running inspection tools throughout the environment. This would be done to minimize the risk of operational outages and ensure systems aren’t outdated.
Whether you’re dealing with physical media (disks, drives, documents) or digital media (files, secrets), you need to implement policies that cover the use, storage, modification, and safe destruction of media and files. Attackers can recover data even from badly damaged hard drives, so properly disposing of such content is imperative.
Even if your online infrastructure is highly secure, your physical hardware may be at risk if you haven’t properly secured devices and facilities. You need to consider controls restricting physical access, monitoring systems, and responses to physical threats.
Develop a plan to manage security over the entire lifecycle of a system, from systems architecture, to management processes, to creating baseline system settings.
Your information security program isn’t just one-and-done deal. It requires constant revision and refinement, which in itself is a discipline your organization needs to follow. Everything from a risk management strategy to the critical infrastructure plan need to be understood as early as possible.
Let’s say you’ve finally managed to build an all-round solid security program, filling in all the cracks and making your systems resilient. But what if the weak link in your system isn’t the software, but the humans who interact with it? You need to ensure that all individuals operating in your network are trustworthy, and provide security training to every member of your team.
This one should be pretty self-explanatory. Any PII in your system should be considered sensitive information, and you need to store, modify, delete, and transmit this data with the utmost care and security.
In order to build the most effective security program, it’s necessary to understand exactly what kind of risks you’re likely to encounter in your environment. Which assets are at most risk? What are your operational weaknesses? What vulnerabilities are regularly causing problems? All of these factor into your organization’s risk profile.
Once your organization gets used to a particular set of systems and processes, it can be hard to adapt when there’s a big change. You need to develop a robust program that accounts for third-party software/tools and implementing new systems and services.
No organization works in a vacuum anymore, and every team relies on collaboration and communication between different systems and devices. You need to develop controls that establish system boundaries and safely manage communications across networks, ensuring system integrity at all times.
Viruses, malware, and malicious code are an ever-present threat to your systems. Your organization needs to establish protocols and protections that mitigate the danger of a potential attack. After all, social engineering and phishing are the most common ways companies get breached today.
The modern software supply chain is full of open source and third party software, libraries, and components. Without proper safeguards, an insecure component—even one that’s nested within another component itself—can provide attackers with a way to compromise your environment and take control.
AppSecEngineer offers several courses and challenges in supply chain security. Get a hands-on look at how to find and fix supply chain issues in your organization.
With hundreds of hands-on courses and challenges in secure coding, cloud security, and DevSecOps, AppSecEngineer offers everything your team needs to achieve a NIST SP 800-53 certification.
As the team leader, you can assign courses to different teams, track their learning progress, and test their skills with assessments.
Achieve NIST compliance in less than 6 months. Only with AppSecEngineer.
Aneesh Bhargav is the Head of Content Strategy at AppSecEngineer. He has experience in creating long-form written content, copywriting, producing Youtube videos and promotional content. Aneesh has experience working in Application Security industry both as a writer and a marketer, and has hosted booths at globally recognized conferences like Black Hat. He has also assisted the lead trainer at a sold-out DevSecOps training at Black Hat. An avid reader and learner, Aneesh spends much of his time learning not just about the security industry, but the global economy, which directly informs his content strategy at AppSecEngineer. When he's not creating AppSec-related content, he's probably playing video games.
help@appsecengineer.com
United States
11166 Fairfax Boulevard, 500, Fairfax, VA 22030
APAC
68 Circular Road, #02-01, 049422, Singapore
help@appsecengineer.com
United States
11166 Fairfax Boulevard, 500, Fairfax, VA 22030
APAC
68 Circular Road, #02-01, 049422, Singapore