What NIST Can Teach Private Business About Security
The National Institute of Standards and Technology (NIST) is a non-regulatory agency within the United States Department of Commerce that sets security and technology standards for both public and private entities. Here are ten things that NIST can teach private businesses about security:
- Establish security policies and procedures. Security policies and procedures are the foundation of any security program. NIST provides guidance on how to develop security policies and procedures based on industry best practices.
- Implement security controls. Security controls help protect business’ information and systems. NIST provides guidance on how to select, implement, and assess security controls.
- Manage security risks. Security risks must be managed in order to protect a business’ information and systems. NIST provides guidance on how to identify, assess, and respond to security risks.
- Receiving security updates and alerts on new security threats. NIST continually monitors new security threats and releases security alerts to help private businesses protect their systems. Private businesses can receive these security alerts by subscribing to the NIST Cybersecurity mailing list.
- Detecting and responding to security incidents. Security incidents must be detected and responded to in order to mitigate the damage they can cause. NIST provides guidance on how to detect and respond to security incidents.
- Maintain an effective security program. An effective security program is essential for protecting business information and systems. NIST provides guidance on how to maintain an effective security program.
- Utilizing security controls that have been implemented and tested in the past. NIST has released many Special Publications which are designed to provide instructions on how private businesses can protect their systems using security controls that have been implemented and tested by the Federal government.
- Understanding what security controls are applicable to your specific industry or organization. Many security controls are not one size fits all and must be tailored to the specific needs of an organization. NIST provides guidance on how to identify the security controls that are applicable to your business and industry.
- Building a comprehensive security program that addresses each stage of the system development life cycle. A security program should address each stage of the system development life cycle, from planning and design through implementation and operation. NIST provides guidance on how to build a comprehensive security program.
- Protect information assets. Information is a key asset for any business and must be protected accordingly. NIST provides guidance on how to protect information assets.
In addition to these ten points above, NIST also provides guidance on a variety of other security topics, such as cloud security, big data security, and mobile security. Private businesses can benefit from following these NIST guidelines in order to protect their information and systems from security threats.