Using NIST for Security and Risk Assessment

By Thomas P. Dover

Subjects: Computer security, Risk assessment, Network security, Information technology industries

Description: <p><span class="no-hyphens">This book describes how NIST Special Publications (SP) 800-171r2 (<em>Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations</em>), SP.800-172 (<em>Enhanced Security Requirements for Protecting Controlled Unclassified Information</em>) and SP.800-172A (<em>Assessing Enhanced Security Requirements for Controlled Unclassified Information</em>) can be used to evaluate the cybersecurity posture of Information (IT) or Operation Technology (OT) systems and supporting frameworks.  It will demonstrate that baseline security requirements outlined in SP.800-171r2 and SP.800-172/172A for the protection of Controlled Unclassified Information (CUI) can be applied to any information system requiring data protection.</span></p><p><span class="no-hyphens">It further presents the application of NISTIR 8228 to OT system assessment in order to determine relative compliance with recommended standards.  This approach allows organizations to evaluate the level of risk an IoT device poses to information systems.  It also reviews the current state of IoT cybersecurity and privacy protection using historical and current industry guidance &#38; best-practices; recommendations by federal agencies; NIST publications; Executive Orders (EO) and federal law.  Similarities and differences between IoT devices and “traditional” (or classic) Information Technology (IT) hardware will be offered along with challenges IoT poses to cybersecurity and privacy protection.</span></p><p><span class="no-hyphens">An explanation of how these NIST publications align with information security and how this alignment suffices for evaluating an IT environment security will be given along with the process and procedure for performing such evaluation.</span></p> A practical approach for applying NIST Special Publications (SP) and Internal Reports (NISTIR) to the security assessment of Information (IT) and Operational (OT) systems. Methodology addresses assessing security of systems containing Confidential but Unclassified Information (CUI) or Internet of Things (IoT) technology.