NIST 800-171 checklist is a list of procedures to help ensure that the FBI can recover data and maintain it in accordance with this standard. The second paragraph of the introduction should give an explanation as to why this is important.
The first part of the checklist begins with organizational security policies and management requirements. Organizations are required to assess the need for a recovery plan, define a recovery team, develop relationships with external organizations, maintain documentation of security controls, maintain documentation of system information and provide training on information assurance to personnel who need it.
The second part of the checklist requires that organizations must have a data protection director. Once a recovery plan is ready to be implemented, it must be approved by the relevant person within the organization. They should also establish procedures for reporting incidents, and document every event that results in damage or loss of information, as well as how they deal with these events.
The third part of the checklist consists of procedures related to recovering data and restoring systems. It also states that after procedures are implemented, a thorough test is required before the system is made available to anyone.
The fourth part of the checklist requires that guides must be followed when performing information assurance assessments. They must also ensure that the recovery plan provides for the protection of classified information and that monitoring of business systems has been designed to ensure compliance with laws, regulations and standards.
The final part of the checklist requires organizations to identify risks, design controls and assess risks. This part also requires that they ensure that they maintain records of all security policies implemented, practices and incident response.
This checklist is a standardized method of documentation that aims to provide various organizations with recovery plans and procedures in case their systems are compromised. It also aims to improve the security of data by ensuring that systems are correctly configured and ready for recovery.
This checklist is different from others as it addresses more than compliance with regulatory and legal requirements. It also focuses on the important information that needs to be documented under specific scenarios, such as what happens if an incident occurs, how should the organization respond and how should data be protected in case of a breach.
The organization will be the one responsible for implementing procedures and guidelines related to the checklist. They will need to review the document with all departments that use data and implement necessary updated policies, such as ensuring that systems are configured properly by using appropriate services and applications or removing unnecessary services or applications. They will also have to make sure that staff has adequate training including information on a breach and how to deal with it.
This checklist requires security assessments to be performed on systems that are not governed by law or regulation. The assessment should be performed at least once a year, regardless of whether parts of the checklist have been implemented or not.
This checklist requires that records be kept of all policies, procedures, guidelines and instructions related to information security. These records should also be updated on an annual basis.
The organization will need to notify all owners of data that was disclosed as a result of a breach.
The organization will need to provide notifications that are aimed at those who have been affected by a security incident. These notifications could include modified access, temporary or permanent data loss or the evidence of the ongoing investigation into the breach. To avoid unnecessary costs, it will be advisable to notify affected parties in writing and make sure that they know how to contact the organization should they wish to do so later.
If an organization is using information that has personally identifiable information, it will need to adhere to the requirements set out by the Privacy Act of 1974 and ensure that all individuals are notified of any breach. It should also notify individuals if there is a risk of harm or if they can be contacted by law enforcement agencies.
The following is a slightly modified version of the NIST 800-171 standard security checklist created by The Institute for Internet Security. We used the standard model because it allows for future expansion and application to new technologies that may not have been considered when the document was originally written. It also helps us think through our response to incidents in case they do occur. The form can be easily adapted to reflect local standards and regulations, as well as internal organization policies and procedures.
downloads
