Introduction:

I found an old assignment from during my graduate studies and figured I would share it. Enjoy!

In the dynamic landscape of cybersecurity, organizations managing financial data must remain vigilant against ever-evolving threats. Navigating the intricate web of regulations and standards can be daunting, but one beacon of guidance shines brightly—the National Institute of Standards and Technology (NIST) Special Publication 800-53; this comprehensive framework serves as a roadmap for information security, outlining controls that organizations can implement to fortify their systems.

In this blog post, we will delve into a crucial aspect of NIST SP 800-53—input controls—and explore their application in designing a centralized accounting system. As financial transactions increasingly move into the digital realm, ensuring the integrity and confidentiality of sensitive data becomes paramount. By leveraging the insights provided by NIST SP 800-53, organizations can implement robust input controls that safeguard against unauthorized access, manipulation, and other potential threats.

Understanding the significance of input controls within the framework of a centralized accounting system is essential for organizations seeking to bolster their cybersecurity defenses. NIST controls not only play a pivotal role in preventing data breaches but also contribute to regulatory compliance, ensuring that financial data is handled with the utmost care and per industry standards.

Join us on this exploration of NIST SP 800-53’s input controls, as we uncover the practical ways they can be harnessed to create a resilient centralized accounting system. By the end of this journey, you’ll gain valuable insights into how these controls can be tailored to your organization’s unique needs, enhancing the overall security posture and instilling confidence in the management of financial data.

Example Document

Dear Mr. Smith- Audit Manager,

As requested, I have compiled a list of the most critical controls I would recommend for creating an interface from each of the company’s departments to the centralized accounting system. This report will showcase controls derived from NIST Special Publication 800-53, as I feel its content and structure will allow us to ensure the new system interface will be successful and secure. 

First, I want to discuss two controls related to the new interface’s accounting data- CP-9 Information System Backup and MP-4 Media Storage. The CP-9 control manages user and system-level information backups, as well as backups for information system documentation. CP-9 also covers how to effectively perform backups while protecting the CIA (confidentiality, integrity, and availability) of the data and where the information is stored. The second control, MP-4, related to CP-9, covers how to physically secure and store media and media systems until they are appropriately destroyed or sanitized (NIST, n.d.). 

To effectively utilize the CP-9 Information System Backup control, the new accounting system interface’s data should be stored on and off-premises, in the form of a NAT (network access storage), and in the Cloud. To ensure the CIA of our data, we shall perform regular audits of the status of the stored information and conduct routine emergency recovery tests. To use the MP-4 control, our organization’s new system interface should use RAID data storage in one of its many available configurations to store media (NIST, n.d.). A potential method of securely storing data until it is time to delete it would be, for example, setting a specific length of time to automatically delete a customer’s personal information from the RAID storage, thus ensuring that the disks are routinely cleaned and able to store more mission-critical material. Since our organization has been using paper transactions until now, the old physical material must be safely destroyed, ensuring that no personal data can be retrieved.

Next, the AU-1 Audit and Accountability Policy and Procedures control will ensure that policies, controls, and procedures regarding security audits and accountability are created, maintained, and enforced (NIST, n.d.). By implementing and mandating the various security controls/enhancements concerning the proper and continued use of auditing each system’s accountability procedures, the new accounting interface’s network and systems can ensure compliance with AU-1, as well as the rest of the AU family; this task will be managed by both IT and InfoSec, along with accounting staff.

Due to the data’s sensitivity in the new accounting interface, I feel that the IA-2 Identification and Authentication (Organizational Users) control will be a high priority. The IA-2 control will determine the systems of identifying, authenticating, and managing employees, guests, and contractors’ access to the new accounting system’s information assets, regarding both local and network access (NIST, n.d.). Under CSO supervision, the CTO will create and oversee the policies and procedures for determining each user’s access and authentication, which will be enforced by the CSO (in terms of security impacts), thus allowing IT staff to assign or remove permissions. Additionally, each endpoint, wireless device, etc., will be required to undergo the same level of identification, authentication, and management under the same supervision as each aforementioned staff. Due to IA-2’s specific (organizational users) specification, many policies regarding identification and authentication concerning non-company users will not be addressed, although many of the same principles are followed.

As any new system relies on continued maintenance and upkeep to ensure performance stays constant, I believe the MA-1 System Maintenance Policy and Procedures control will benefit us greatly. The MA-1 control will ensure that necessary procedures and policies for implementing security control and enhancements are established, and aligned with federal laws, orders, standards, and regulations (NIST, n.d.). InfoSec staff at our organization will create and administer MA-1 controls, with assistance from IT staff and under supervision from the CSO/CTO. System maintenance needs to be a continuous process, derived from frequent inspections and weekly and quarterly improvements to the accounting interface.

Finally, I feel that the SI-4 Information System Monitoring control will ensure that all information systems are continuously monitored, audited, and per internal and external (state, federal) policies, orders, laws, and regulations (NIST, n.d.). Due to the various information systems used at our organization and the sensitive nature of the information, the SI-4 control will require constant maintenance and updating by both InfoSec and IT staff. Utilizing a combination of risk assessments, notification alerts, intrusion protection, and security systems, our organization will be compliant with SI-4 due to the InfoSec and IT staff’s 24/7 monitoring of all information systems under the direction of the CSO/CTO.

I firmly believe the controls mentioned above will allow our organization’s centralized accounting system to effectively interface with each department’s accounting system, allowing for increased productivity and availability of our data and reduced paper waste. I know that I listed several security-related controls, but this is crucial as our company works with highly sensitive information, and due to switching each department’s communication path from paper to digital, the increase in possible legal and cybercrime implications rises dramatically. I hope you see the merit of my control recommendations. Please let me know if you have any further questions.

Thank you,

William Donaldson, IT Manager

Tekzor Inc.

References

Otero, A. R. (2019). Information Technology Environment and I.T. Audit. In Application Systems: Risks and Controls. (Fifth ed., pp. 241-264). Boca Raton, Florida: CRS Press.

NIST. (n.d.). NIST Special Publication 800-53 (Rev. 4). Retrieved February 8, 2021, from https://nvd.nist.gov/800-53/Rev4/control/CP-9.

NIST. (n.d.). NIST Special Publication 800-53 (Rev. 4). Retrieved February 8, 2021, from https://nvd.nist.gov/800-53/Rev4/control/MP-4.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “AU-1 Audit and Accountability Policies and Procedures.” Retrieved February 8, 2021, from https://nvd.nist.gov/800-53/Rev4/control/AU-1.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “IA-2 Identification and Authorization (Organizational users).” Retrieved February 8, 2021, from https://nvd.nist.gov/800-53/Rev4/control/IA-2.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “MA-1 System Maintenance Policy and Procedures.” Retrieved February 8, 2021, from https://nvd.nist.gov/800-53/Rev4/control/MA-1.

NIST (n.d.). NIST Special Publication 800-53 (Rev. 4). Security and Privacy Controls for Federal Information Systems and Organizations. “SI-4 Information System Monitoring.” Retrieved February 8, 2021, from https://nvd.nist.gov/800-53/Rev4/control/SI-4.