To continue our in-depth discussion of NIST SP 800-171, this week we’ll examine the next two requirement families: Awareness and Training; and Audit and Accountability. These two categories are less technical than the other ones, but they are still vital to protecting your network against threats.
Awareness and Training
The basic security requirements for the Awareness and Training family are:
- Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, andprocedures related to the security of those systems.
- Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities
And these are condensed down into a single derived requirement:
- Provide security awareness training on recognizing and reporting potential indicators of insider threat.
These requirements leave plenty of leeway for you to craft your own strategy for security awareness and training for your users and employees. We’ve covered some security training basics before, and these techniques should definitely be part of your security training program. This can include:
- Phishing awareness
- Internet security
- Email hygiene and safety
- Social engineering training
The security requirements also mention “insider threats.” While it’s generally not good business to be constantly suspicious of your own employees, it is something that occurs from time to time. Your IT team in particular should be aware of users asking for access to information outside their job scope without good reason. Rights requests in particular should be screened and properly approved before being granted. Generally, policies such as these will serve to keep the “honest people honest” and deter any potential insider threats.
Audit and Accountability
The basic requirements for the Audit and Accountability family are:
- Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
- Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
There are a number of logging and auditing solutions that will meet the requirements of this section (for example, Graylog, Windows Event Forwarding, or Splunk). But the derived requirements for this family will help you to design and implement a solution that is in compliance with DFARS.
For example, one of the derived requirements is: “Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.” If all of your systems’ clocks are out of sync, then the logs from those systems cannot easily be correlated in the event of an intrusion.
Two other derived requirements help to reinforce the concept of role separation:
- Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
- Limit management of audit logging functionality to a subset of privileged users.
If your logging service can be modified by unauthorized users, then it is essentially worthless for a forensic investigation. So while some users will need access to the logged data for various purposes, only a very small group should be able to delete that information -- and that action itself needs to be monitored and alarmed. That will help protect against both intruders and insider threats.
So that covers Security Families #2 and #3 in NIST SP 800-171 -- only 11 more to go! Check back next week for another article covering the Configuration Management family. And if you need help or guidance in securing your network up to DFARS/CMMC standards, contact E-N Computers today to schedule a consultation.