Comments Sought for Security Guide

Thursday, November 5, 2015 @ 04:11 PM gHale

A draft guide to help organizations better secure and manage their mobile devices is out and the National Cybersecurity Center of Excellence (NCCoE) is seeking comments.

The draft NIST Cybersecurity Practice Guide Mobile Device Security: Cloud & Hybrid Builds (Special Publication 1800-4) shows how commercially available technologies can help companies secure sensitive data accessed by and/or stored on mobile devices used by employees.

Report: NSF-funded Research, Education
Security Jobs ‘Heat Map’ in Development
NIST Fellow Earns Security Honors
Cyber Physical Systems Framework Releases

“Mobile devices extend or eliminate the notion of traditional organization boundaries, posing challenges that nearly all businesses regardless of sector or organization size,” said Nate Lesser, deputy director of the NCCoE, part of the National Institute of Standards and Technology (NIST). “Our guidance can help organizations reduce their risk and increase their ability to see and respond to security issues.”

Security controls have not kept pace with risks that mobile devices can pose.

To address this challenge, NCCoE security engineers re-created a typical IT scenario involving commonly used devices, organizational email, calendaring and contact-management software.

They then developed several configurations of commercial management and security technologies to improve mobile device security. The example solution detailed in the guide shows organizations how to configure a device so it can end up trusted, as well as how to remove the device from systems should it be lost or stolen or when an employee leaves the company.

The draft guide maps security characteristics to standards and best practices from NIST and other organizations. It provides instructions for implementers and security engineers on installing, configuring, and integrating the example mobile device security solution into existing IT infrastructures.

While the guide uses a suite of commercial products as part of the example solution, it does not endorse any particular products or guarantee regulatory compliance. The NCCoE’s example solution may end up adopted or used as a starting point for tailoring and implementing parts of a solution.

You can download the draft guide from the NCCoE website, which includes a form for submitting comments. The public comment period is open through Jan. 8, 2016.

The guide is part of the center’s new series of publications, called NIST Cybersecurity Practice Guides (Special Publication Series 1800), which target complex cyber security challenges in the public and private sectors. The practical, user-friendly guides show members of the information security community how to implement example solutions intended to help them align more easily with relevant standards and best practices.

The NCCoE is the nation’s cyber security laboratory, addressing businesses’ most pressing cyber security problems with practical, standards-based solutions using commercially available technologies. The center collaborates with industry, academic and government experts to build modular, open, end-to-end reference designs that are broadly applicable and repeatable.