NIST Compliance - Information Security

The National Institute of Standards and Technology (NIST) is responsible for developing standards and guidelines, including minimum requirements, used by federal agencies in providing adequate information security for the protection of agency operations and assets. Pursuant to this mission, NIST’s Information Technology Laboratory (ITL) has developed guidelines to improve the efficiency and effectiveness of information technology (IT) planning, implementation, management, and operation

The following NIST 800 – series publications are guidelines to help organizations categorize, select, implement, assess, authorize and monitor Information Technology Security controls and systems.

NIST 800-12 Introduction

 

NIST 800-12

An Introduction to Information Security

NIST 800-12 serves as a starting point for those unfamiliar with NIST information security publications and guidelines. The intent of this special publication is to provide a high-level overview of information security principles by introducing related concepts and the security control families.

GLBA | PCI/DSS | HIPAA | Dept. of Defense.

NIST 800-30 Conducting Risk Assessment

NIST 800-30

Guide for Conducting Risk Assessments

NIST 800-30 provides guidance on risk management for organizations in the public and private sectors.  The focus of this publication is looking at risk assessment – used to identify, estimate, and prioritize risk.  GLBA Safeguards Rule.

This publication details the four components of risk assessment including: 1) how to prepare for risk assessments; 2) how to conduct risk assessments, 3) how to communicate risk assessment results to key organizational personnel and 4) how to maintain the risk assessments over time.

NIST 800-37 Risk Management

 

NIST 800-37

Risk Management Framework for Information Systems and Organizations

NIST 800-37 is intended to help organizations manage security and privacy risk and to satisfy the requirements in the Federal Information Security Modernization Act of 2014 [FISMA], the Privacy Act of 1974 [PRIVACT], OMB policies, and designated Federal Information Processing Standards, among other laws, regulations, and policies.

NIST 800-53 Security

NIST 800-53

Security and Privacy Controls for Information Systems

NIST 800-53 publication, along with other supporting NIST publications, is designed to help organizations identify the security and privacy controls needed to manage risk and to satisfy the security and privacy requirements in FISMA, the Privacy Act of 1974, OMB policies (e.g., OMB A-130), and designated Federal Information Processing Standards (FIPS), among others.

The use of NIST 800-53 controls is mandatory for federal agencies, federal contractors and organizations working on behalf of agencies.  However, the same organizations must follow NSA standard for data destruction.

NIST 800-66 HIPAA Security Rule

NIST 800-66

Implementing HIPAA Security Rule

NIST 800-66 summarizes the HIPAA security standards and explains some of the structure and organization of the Security Rule. The publication helps to educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule.

This publication is intended as an aid to understand security concepts discussed in the HIPAA Security Rule and does not supplement, replace, modify, or supersede the Security Rule itself.