RECIPROCITY

Preparing for a
NIST Audit
A Step-by-Step Guide

www.reciprocitylabs.com
The National Institute of Standards and Technology Cybersecurity
Framework (NIST) was created specifically to aid in securing our
nation’s critical infrastructure—but it is useful for almost any orga-
nization. A thorough compendium of information security rules and
guidelines, NIST can be an invaluable resource for improving your
enterprise’s security posture.

Checking off the NIST list assures

your enterprise, customers,
and clients that your systems,
networks, and data—and their
data, as well—are safe from
intrusion.

Engaging in a NIST audit will also save you time, effort, and expense
down the road, bringing you into compliance with other security
frameworks, including PCI DSS and SOX.
Compliance is no simple task, however. NIST 800-53, the cybersecu-
rity bible for federal agencies, contains more than 1,000 objectives.
How can your enterprise possibly meet them all? Fortunately, NIST
is highly prescriptive, in many cases spelling out not only the what of
compliance, but also the how.

Whether you’re a critical infrastructure provider

needing NIST certification or an enterprise using
NIST as a guideline for auditing other security
frameworks, an organized approach will help you
pass the test with flying colors.

Follow this comprehensive checklist compiled by our

experts to make NIST compliance as easy as 1-2-3.

TAKE ME TO THE CHECKLIST

Revision 5’s Focus:
Privacy

Previous versions of NIST focused on preventing data

breaches and thwarting system security attacks through
an emphasis on confidentiality, availability, and integrity.
Revision 5 adds privacy to the mix.

In response to the proliferation of data privacy laws across the globe,

Revision 5 addresses the creation, collection, use, processing, storage,
maintenance, and dissemination of personally-identifying data as well
as the privacy risks associated with this type of data.

NIST Revision 5 has 20 control “families”:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
1. Access control
This family addresses access controls for your organization’s IT environment: routers,
firewalls, computers, servers, and all devices on the network. It considers how these are
configured as well as the quality of your security policies, role-based access controls,
mandatory access controls versus discretionary ones, and privileged access controls.

ȏȏ Who has access to your systems, networks, and devices?

ȏȏ How do you grant access? How do you restrict it?
ȏȏ Do you allow any users to override access controls? Which ones? What is the
procedure?
ȏȏ How do you grant access to third-party vendors?
ȏȏ What attributes do you use that affect access?
ȏȏ Have you documented your information flow control policies?
ȏȏ How do you separate and isolate FedRAMP-certified devices and systems?
ȏȏ Do you have a comprehensive list of your domains and cross-domains? You will need
an inventory that includes individuals with access to these domains, their roles and
responsibilities, and their associated controls.
ȏȏ Can you provide role-based schemas for your privileged access accounts? Do you use
dynamic account management or shared or group credentials for these accounts?
ȏȏ Are you embedding access controls into your metadata? You will need to define and
identify this data.
ȏȏ What are your domain authentication processes and policies? How do you spot
violations?
ȏȏ Do you tag access data for quick identification? Many companies have done so since
the enactment of the European Union’s General Data Protection Regulation (GDPR) so
that if access control data is changed, those changes can be identified quickly.
ȏȏ When account data is changed, who gets notified? Does your system track the nature of
the changes, what data has been captured, and session login and termination times?
ȏȏ Who has remote access to your systems, and how is access granted? Do external
networks gain access via dial-up, broadband, or a virtual private network? Do users
log in automatically? Which credentials do they need to gain access remotely? Which
prompts and commands require them to validate their identity?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ȏȏ For wireless access, what is the authorization process? Is the data encrypted? What are
the devices’ encryption settings, and what security controls do they contain? Devices
include smartphones, mobile phones, laptops, e-readers, tablets, and any external
systems.
ȏȏ Who is allowed to set up configurations? Who has access to information using
automated scripts or application programming interface (API), and who can make
changes in these configurations?

2. Awareness and training

These controls examine your organization’s internal security-and-privacy awareness
training.

ȏȏ What type of security awareness training do you provide?

ȏȏ Do you review and update your training policy annually? How do you disseminate the
security awareness policy to your employees?
ȏȏ What does your training include? Auditors expect training on malicious phishing,
malware, email breaches, social engineering, and other cybercrime tactics.
ȏȏ How do employees access the training?
ȏȏ How do you notify employees about
security vulnerabilities, malware,
suspicious communications, and other
security concerns? In the case of a
cyberattack, how, when, and where
do you send notifications? Are you
continually monitoring your system for
these threats and sending alerts in real
time? Do you instruct employees on what
to do? Do you follow up?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
3. Audit and accountability
For this control category, you will need the details of your organization’s audits and
audit processing records.

QUESTIONS INCLUDE:

ȏȏ How do you process your audits?

ȏȏ How do you monitor them?
ȏȏ How do you set up the content for your audits? Do you include assessments and
artifacts?
ȏȏ How is audit information captured and collected?
ȏȏ How does audit information get modified? What’s the chain of custody?
ȏȏ How do you store your audit documents, and where?
ȏȏ Are your audit documents time-stamped?
ȏȏ How do you protect audit information? What encryption tools do you use?
ȏȏ Who is authorized to access audit information? How do you validate their identity—
with passwords, multi-factor authentication, biometrics, or some other method?
ȏȏ What is your retention policy for audit information? How do you retrieve it?
ȏȏ How do you track and document audit trails so that you know who has accessed or
made changes to audit documentation? Audit trails should include the time and details
of the changes.

4. Assessment, authorization, and

monitoring
QUESTIONS INCLUDE:

ȏȏ Who conducts your organization’s privacy and security assessments? What are their
roles? Do you perform these in-house or use independent third parties?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ȏȏ What are your privacy policies and procedures for setting up privacy and security
assessments and monitoring?
ȏȏ When do you conduct assessments? How often? What type of assessment does your
enterprise perform—security only, or do you assess privacy protection as well? What
types of specialized assessments do you perform—open testing, validation testing, and/
or vulnerability scans?
ȏȏ Do you monitor your systems, applications, and network?
ȏȏ What are your privacy controls? Do you monitor them?
ȏȏ If you are FedRAMP-certified or pursuing that certification, do you scrutinize your
system’s interconnections, interfaces with internal or external systems, and boundary-
protected devices? Are these devices and systems securely isolated from the rest of
your network?
ȏȏ Do you have controls, such as blacklisting, for malicious domains?
ȏȏ Do you assess and monitor secondary or tertiary connections or interfaces with
outside systems?
ȏȏ Is your monitoring continuous? If not, how often does it occur? Be prepared to present
your analysis and trend reports.
ȏȏ Do you conduct red-teaming? What does it consist of, and how often does it occur?

5. Configuration management
The auditor will want to see your configuration management policy and procedures.

ȏȏ How often do you review these documents? Do they discuss privacy?

ȏȏ What are your baseline configurations? Are they delineated for every server or device on
your network? Do your configurations include security or hardening of those devices?
ȏȏ Do you use automation for configuration management? What kind?
ȏȏ Do you retain previous configurations or settings? Do you have the ability to revert
to them in case of server issues? What is your rollback process? How do you uninstall
problem applications and programs, and conduct updates?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ȏȏ Do you have configuration and testing settings for your
development and testing environments? Are those
environments separate?
ȏȏ Do you have a Configuration Control Board to ensure that
configuration changes get approved in an orderly manner?
What is the process for change validation?
ȏȏ Do you have a process to ensure that your software or
hardware is tested and validated before it moves into
production? What is that process?
ȏȏ What are your cryptography settings? Are configurations
documented?
ȏȏ What is the review process for your security policy? Are there any restrictions on policy
changes or access? Have your security policy on hand for the auditor’s review.
ȏȏ Do you have an inventory of all your system components? Be prepared to show this.
How often do you update it?
ȏȏ How often are installations and deactivations added to the systems inventory? Is this
automated? Is there a centralized repository?
ȏȏ Do you have data maps?
ȏȏ Is there personally identifying information (PII) within your systems? Do you have a
legal and valid business purpose and use?
ȏȏ Do you have a configuration management plan? Be prepared to show it to auditors. It
should include:

ȏȏ The software development lifecycle

ȏȏ Items under configuration management
ȏȏ Policies and procedures for making changes and requesting updates
ȏȏ Automated update processes

ȏȏ Do you allow users of enterprise devices to install software? If so, what are the policies
and procedures for doing so? What are the limits?
ȏȏ What are your controls or processes for installing software on new or existing servers?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
6. Contingency planning
Have on hand your organization’s contingency plan for keeping the business running in
case of a system outage, cyber event, or catastrophe.

ȏȏ If an outage occurred, how quickly could your systems, including critical systems, be up
and running again?
ȏȏ Do you have an alternative way to conduct business in case your systems shut down?
Do you have an alternative system for data capture, processing, and storage? Do you
have systems in multiple locations?
ȏȏ Have you identified your critical assets—those to restore first?
ȏȏ Have you identified your automated continuous transactions, such as human resources
and financial systems or critical system integrations? Do you have a plan to continue
business in case of a shutdown?
ȏȏ How long can your business operate without data? What is your recovery time?
ȏȏ What is your Recovery Point Objective? This should include the files and age of files to
recover and upload to your alternative site so business can resume.
ȏȏ How much data can your enterprise afford to lose?
ȏȏ How long can you weather an outage before losing business?
ȏȏ What is your Recovery Time Objective (the time you need to recover your data)?
ȏȏ How often do you back up your systems?
ȏȏ Do changes to your primary site automatically sync with your colocation site?
ȏȏ Do you have a record of changes made to your system between 90 days and 6 months
ago? Were those changes also made to your colocation site?
ȏȏ Be prepared to present documents showing your:

ȏȏ System components ȏȏ Rollback policy

ȏȏ Network topology ȏȏ Backup retention policy
ȏȏ System architecture ȏȏ Modifications to your hardware
ȏȏ Configuration management tools ȏȏ Reports of configuration testing
in use on your primary and colocation
ȏȏ The currency on which these sites
systems run ȏȏ Automation changes

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ȏȏ Does your organization use an API? If so, have you set up an Electronic Data Interchange,
as well?
ȏȏ Have you tested your contingency plans? If not, how do you know they work?
ȏȏ Do you have a formal disaster recovery plan? Is it reviewed annually or when new
systems are added?
ȏȏ What disaster recovery training do you provide? Who receives it, and how often?
ȏȏ Do your disaster recovery policies and procedures address your primary and colocation
sites both individually and separately?
ȏȏ What agreements do you maintain with your telecommunications providers and other
third-party vendors in case of disaster?
ȏȏ Do you have a “single point of failure”—only one system and server, with no other
systems to capture information in the event of a disaster? If so, your systems design is
flawed and should be corrected.
ȏȏ What are your policies regarding system redundancy and data transfer? How is
information transferred to your backup site? Is it done automatically? Where is the
information stored, and for how long? Is it encrypted?
ȏȏ Is your colocation site on “hot standby,” meaning that you can switch your IT operations
over and resume running within minutes of losing your primary system?

7. Identification and authentication

Be prepared to show your policies and procedures for identifying and validating users
of your systems, networks, and devices.

ȏȏ Do you use multifactor authentication for users as well as for privileged access
accounts?
ȏȏ How do users sign on to software? Do they use single or dual authentication? Are they
authenticated each time they sign in, or only once?
ȏȏ What are your logical access controls and physical access controls?
ȏȏ How do you authenticate devices?
ȏȏ Do you use dynamic or static IP addresses?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ȏȏ What level of complexity do you require for passwords?
ȏȏ How often do you require password changes?
ȏȏ Do you use biometric authentication?
ȏȏ What public key structure do you use for encrypting data?

8. Individual participation
What does your privacy policy say about collecting, storing, or processing PII? Have
the policy on hand for the auditor.

ȏȏ Which categories of PII data do you capture?

ȏȏ Do you obtain consent before collecting, processing, storing, or transmitting data?
ȏȏ Do you provide a “just in time” notice—one that condenses your more-lengthy privacy
policy into short, easy-to-read segments presented to visitors of your website?
ȏȏ If someone wants to correct, change, or remove their data from your database, what
are the procedures for redress? Is there an appeals process?
ȏȏ Do you issue notices of correction or amendment to owners of PII?
ȏȏ Do you allow PII owners to see their data and approve changes, amendments, or
corrections?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
9. Incident response
If your systems were breached or attacked and your data were exposed, what would
you do?

ȏȏ Do you have an incident response policy? Have it ready to present to the auditor.
ȏȏ Has senior management or an executive management team approved your
organization’s incident response policy?
ȏȏ Does your enterprise conduct incident response training? Do you use red teams?
Simulated events with root cause analysis?
ȏȏ Have you tested the latest version of your incident response plan?
ȏȏ Do you strive for continual improvement of your incident response metrics, such as
incident response time and recovery time? Do you record lessons learned?
ȏȏ Do you use an automated incident response tool? Does it include automatic disabling of
all or, at a minimum, affected IT systems?
ȏȏ How often do you review and test your incident response plan? Do you do so at least
once a year?
ȏȏ If you have more than one critical system, how do you coordinate and communicate
security incidents across systems?
ȏȏ Do you have a policy or mechanism for alerting third-party vendors to a breach?
ȏȏ Do you have incident monitoring in place for your systems and applications? Is
analysis included? When are alerts sent? Do you use a security information and event
management tool for tracking, alerts, and log generation?
ȏȏ In case of a major security breach, who at the local, state, or federal level would you
need to contact? Are you in communication with them? When and how would you send
these alerts?
ȏȏ Do you use a vendor for incident response?
ȏȏ Do you check your IT scan reports for system vulnerabilities? Who performs this task,
and how frequently? What is the procedure for fixing any flaws? Who is responsible?
ȏȏ Who reviews and updates your incident response plan, and how often? Who has a
copy of the plan? Do employees have it? Have they been trained on how to follow its
directives?
ȏȏ Who has the ultimate responsibility for incident response at your organization?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
10. Maintenance
ȏȏ How often are diagnostics and repairs performed on your systems?
ȏȏ Does systems maintenance occur in a controlled environment?
ȏȏ Who has access to perform maintenance? How do they gain access if the system
contains confidential data?
ȏȏ How often do you perform maintenance on your systems?
ȏȏ Which maintenance tools does your organization use? Do you have specific media for
this task, such as a designated drive?
ȏȏ What are your contingencies for drives or networks that may be affected or
interrupted during systems maintenance?
ȏȏ Who gets notified of maintenance activities? When are these notifications sent, and how?
ȏȏ Who is responsible for approving maintenance-related downtime? What is the
approval process?

11. Media protection

ȏȏ Who has access to your organization’s IT media, including storage media? This includes your
servers, databases, backup tapes, memory cards, rotating fixed disks, hard drives, and solid-
state drives.
ȏȏ How is this media handled and stored? Is it encrypted?
ȏȏ Who are the media custodians?
ȏȏ How is this media maintained?
ȏȏ What are your policies and procedures for decommissioning and destroying IT media?
Is it backed up before destruction? Does it get erased?
ȏȏ What happens to the backup data when media is destroyed or decommissioned? Does
it get classified or tagged?
ȏȏ Who handles media destruction or decommissioning? Is this performed in-house or by
a third-party entity?
ȏȏ When does media get destroyed or decommissioned? What are your policies and
procedures? Be prepared to show this documentation to the auditor.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ȏȏ If your organization does not destroy decommissioned devices, such as laptops and
other mobile computing devices, why not? What happens to these devices instead?
ȏȏ Who signs off on media destruction? Are at least two people responsible for
authorization?
ȏȏ How is data removed from media? Is it done in-house, at a vendor’s location, or
remotely?
ȏȏ What measures do you take to protect PII? Do you anonymize or pseudonymize it
for data minimization? Is this data backed up before destruction? Where do you keep
copies of this data, and how? Is it encrypted? How long do you keep it? Are you familiar
with applicable laws governing the handling of PII data?
ȏȏ How do you document your handling of organizational IT media and storage? Be prepared
to show records to the auditor.

12. Privacy authorization

This control family examines your organization’s authority and legal justification for
collecting private information.

ȏȏ What are your privacy policies and procedures? Be prepared to provide them to the
auditor.
ȏȏ What PII do your systems capture?
ȏȏ What notices do you provide to owners before collecting their PII?
ȏȏ Why are you capturing PII? You must document your legal business justifications.
ȏȏ Are you tagging and classifying the PII you collect?
ȏȏ How do you collect and store PII? Do you use an automated system? What is the
process?
ȏȏ How does your system identify the captured information and its owner?
ȏȏ Do you share PII with any third parties? Do you monitor the handling of this data?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
13. Physical and environmental
protection
This category examines your organization’s means and methods of ensuring that your
buildings, rooms, and environment are secure.

ȏȏ What does your security policy say about security and physical access to your grounds,
buildings, and internal environment?
ȏȏ Do you maintain an up-to-date employee list?
ȏȏ What credentials does your organization provide to visitors, employees, and contrac-
tors? How often is that list of credentials updated?
ȏȏ Do you grant access according to roles and responsibilities? What type of identification do
you require from visitors? Do you require at least one or two forms of ID?
ȏȏ Do you restrict access to your buildings and environment?
ȏȏ How do you monitor visitor access? Do you keep logs and use closed-circuit television to
track visitor movements and activities?
ȏȏ Do you issue security badges to employees and visitors? Can they use the badges to
move between floors or buildings?
ȏȏ Do your buildings have security keys? How often do you change them?
ȏȏ Does your building have ingress or egress controls? Access devices? Other barriers?
ȏȏ Do you guard or monitor your IT hardware locations? Is your hardware locked in racks,
casing, or cages?
ȏȏ Are there locks on your office doors? Are employee laptops locked down, for instance at
docking stations? Are other devices, including transmission hardware such as cables and
routers, physically secure?
ȏȏ How does your organization monitor your physical premises and access to it? Do you
use sensors, video surveillance, or other methods? How are intrusion alerts set up, and
who gets notified and when? What are response procedures?
ȏȏ What are your retention policies regarding surveillance recordings and data? For how
long do you keep this information?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ȏȏ What are your policies and procedures for emergency shutdowns? Do you have unin-
terruptible power supply systems in case of fire or loss of power? Do you have an alter-
native power supply in case of an extended outage?
ȏȏ If a fire were to occur and shut down power, do your buildings have emergency lighting?
Do they have fire detection and suppression systems? Are those systems activated au-
tomatically, or is someone notified to activate them manually? Who gets the notification
and what are the procedures?
ȏȏ How often do fire inspections occur in your buildings?
ȏȏ What are the temperature and humidity controls in your data center or server environ-
ment? Are these controlled automatically? How are they monitored?
ȏȏ Do you have water and fire detection systems in your server and network rooms? How do
you safeguard these from damage?
ȏȏ What are your procedures for equipment delivery and removal? Who authorizes these
deliveries, and how are those authorizations reviewed?
ȏȏ How do you protect your colocation site? Do you know where all your assets are locat-
ed and how they are protected? How do you monitor and track them? Have your asset
inventory report on hand for the auditor to review.

14. Planning
This category considers how your enterprise plans and coordinates IT security
activities with other organizations.

ȏȏ Do you have restrictions on social media and networking, and on access to public
websites?
ȏȏ Do you share your operational plans and architecture plans? With whom?
ȏȏ Do you have a privacy plan? What are your privacy plans and policies, especially
concerning coordination and sharing with outside organizations?
ȏȏ Do you have a security plan? Does it take a “defense-in-depth,” multi-layered approach
to defense and security?
ȏȏ Does your security plan include baseline configuration settings? Does it include
customized systems and configuration settings? These should be documented, as well.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
15. Program management
ȏȏ Do you have a program management organization or office?
ȏȏ Do you have a project plan listing IT programs that are due for installation or upgrade?
How is it validated? Do you update it annually?
ȏȏ Does your project plan include hardware requirements, impacted systems, and
dependencies associated with installing or upgrading software or hardware? Who has
access to these systems, and how are they notified of changes and their effects?
ȏȏ Have you planned for information security program roles, resources, actions, and
milestones?
ȏȏ Does your plan include updates to your system inventory?
ȏȏ How do you monitor and measure projects or programs? How do you track program
removal and replacement?
ȏȏ Does your project plan list include technology to be installed and instructions for
aligning it with your current system and data privacy requirements?
ȏȏ Along with your project plan, you should be prepared to provide your auditor with the
following:

ȏȏ Critical infrastructure plan

ȏȏ Risk management strategy
ȏȏ Change management plan

ȏȏ For each program listed, does your project plan address:

ȏȏ Potential threats posed by implementation?

ȏȏ Associated roles and responsibilities?
ȏȏ Testing and monitoring policies and procedures?
ȏȏ takeholders involved, including your program team, third-party vendors,
S
the IT security department, a red team, and help desk support? Are all
stakeholders aware of the program?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ȏȏ Are new programs added to your threat awareness process?
ȏȏ Has the information associated with each new program been classified? This is
especially important for PII.
ȏȏ Does each program have a privacy plan (if relevant)? This should include assurance
disclosures.
ȏȏ Do you have a data quality management process for new programs?
ȏȏ Do new programs include automated systems to collect personal information? Do they
tag, minimize, and archive personal data?
ȏȏ Do you have a data integrity board? Is there a process for addressing complaints
regarding the collection, processing, storage, and transmission of personal data?
ȏȏ Who is ultimately responsible for the data captured by these programs and systems?
Ideally, a senior data privacy official or officer should be in charge of ensuring data
privacy, managing your inventory, reviewing data classification categories, and tagging,
managing, and reporting risks.

16. Personnel
What are your policies and procedures for vetting personnel to safeguard the security
of your organization?

ȏȏ Do you have clear definitions for all roles and responsibilities, including security roles?
ȏȏ What are your personnel screening practices at the time of hiring and termination?
What are your onboarding and termination processes?
ȏȏ Do you require personnel who handle sensitive data or intellectual property to sign
non-disclosure agreements?
ȏȏ If employees are transferred or their roles and responsibilities change, how do you
ensure that their access to your systems is reviewed and updated so that they have
access only to the areas necessary for their job?
ȏȏ How do you know when someone has violated the terms of their employment
agreement, especially regarding privacy and security? What are your organization’s
punitive measures? Do you remove access, terminate the employee, or something else?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
17. Risk assessment and risk
management
What are your risk management and risk assessment policies and procedures? Have
documentation on hand for the auditor.

ȏȏ Have you categorized or classified your information by security level? NIST has
established standards for categorizing information and systems according to their
risk level.
ȏȏ Are risk assessment reports provided? To whom, and how often?
ȏȏ Do you use vulnerability scans to identify risks to your applications, servers, and
network? How often do you perform scans? What type of scoring system do you use?
ȏȏ Do you use a component vulnerability scoring system? Is it part of your risk
management risk register process?
ȏȏ How deeply and broadly do you scan your servers for vulnerabilities?
ȏȏ Who reviews your scanning reports?
ȏȏ How is the information generated in these reports used? Does anyone analyze trends?
ȏȏ How many scanners do you have?
ȏȏ What happens to your historical vulnerability data?
ȏȏ How do you deal with Severity 1, 2, or 3 vulnerabilities?
ȏȏ What is your process for assessing the effects of your vulnerability scans on privacy?
The EU’s GDPR requires data protection impact assessments for all critical analyses of
your vulnerabilities.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
18. Systems and services acquisition
For NIST compliance, you will need to show an acquisitions policy and procedures
document for systems and services including resource allocation, capital planning,
budgeting, and privacy and security protection for new systems.

THE DOCUMENT SHOULD ANSWER:

ȏȏ How is development testing and integration carried out for new systems or services?
ȏȏ How often are updates and patches scheduled? Do you use live data?
ȏȏ What is your acquisition process? Does it include security reviews, and how do you
conduct them?
ȏȏ What are your requirements?
ȏȏ What are your procedures and requirements for server provision? What are the
criteria for acceptance?
ȏȏ What are your risk review procedures for new systems and services? What security
controls must be implemented? Make sure to document them, as well as:

ȏȏ APIs
ȏȏ Hardware schematics
ȏȏ Developer involvement required to activate the new system
ȏȏ Data migration requirements

ȏȏ Are you selecting off-the-shelf systems, or customizing?

ȏȏ Are the new systems controlling, storing, or processing government data?
ȏȏ Do you have configuration management for the new systems? Key management? What kind?
ȏȏ Do your new systems require additional configuration or special installation? Have
you notified your engineering department and data center? Have you given all the
necessary personnel access for installation?
ȏȏ If the new systems are external, have you made sure that they are secure before using
them? Have you checked the external vendor’s System and Organization Controls for
Service Organizations (SOC) report to ensure that, as the host, they have the proper

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
 protections in place to secure your data? If not, once you access the external server
from your network, you’re exposed to unacceptable risks.
ȏȏ Have you made changes to your configurations because of the new systems or services?
If so, you will need to provide documentation of those changes.
ȏȏ If you have new hardware or firmware, have you verified the security of user software
connections?
ȏȏ Do you use data mapping to transfer data into the new system?
ȏȏ Have you performed penetration testing on the new system?
ȏȏ Have you included the new system in your incident and event monitoring? Is it in your
incident plan and any security tracking tools you use?

19. Systems and communication

Be prepared to provide your systems and communications policies and procedures
documents.

ȏȏ These documents should address:

ȏȏ The included interfaces and applications, how they’re partitioned, and the
related security functions
ȏȏ Hardware separation and software or hardware segmentation
ȏȏ The access and flow of information through your systems
ȏȏ Shared system resources, availability, capacity, bandwidth, and redundancy

ȏȏ Do monitoring tools send notifications when your systems are nearing their capacity?
ȏȏ If your systems go down for any reason, does the user community get notified?
ȏȏ Do you have boundary protection—especially important for FedRAMP and PCI DSS
certification?
ȏȏ Are your communications, subnets, interfaces, and communications isolated and
protected? How?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ȏȏ Regarding your servers:

ȏȏ Do you restrict server communications traffic, both outgoing and incoming?

ȏȏ Do outgoing communications meet confidentiality and integrity standards?
Are they encrypted? How?
ȏȏ Do you have host-based protection?
ȏȏ Are your security tools for these servers isolated, too?

ȏȏ Are your systems configured and protocols enforced for breach protection? Are they
dynamically isolated and segregated?
ȏȏ Do your FedRAMP and financial systems have separate subnets, network connections,
and security domains?
ȏȏ Are these systems resilient?
ȏȏ Do your systems generate notifications when networks get disconnected or disrupted?
Do they catalogue downtime? What are your processes in case of inactivity?
ȏȏ How do you secure data? How do privacy attributes get transmitted? Do you use public
key infrastructure certificates? Secure socket layering (SSL)?
ȏȏ Do you use Voice-over IP (VoIP) protocols? If so, how do you secure the data
generated?
ȏȏ How do you secure your system components?
ȏȏ How do you partition your systems? What are the channels of distributed storage and
processing?
ȏȏ What are your wireless link protocols? Do you have wifi throughout your office? Is
it visible? How is it protected? Do you use electromagnetic interference or anti-jam
protection?
ȏȏ If your buildings contain sensors, what data are they capturing, and in what
environment? How do you protect that data?
ȏȏ Are there resets on the use of all devices? How are they configured?
ȏȏ Do you have malicious code protection on every device—software, hardware, firmware,
and entry points?
ȏȏ Are your internal and external systems monitored for malicious activity? Does the
monitoring system generate logs of attacks and attempted intrusions? Who gets
notified when this activity occurs? How and when are they notified?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ȏȏ Do you have continuous monitoring in place for each of the following?

ȏȏ Connection problems
ȏȏ System outages
ȏȏ Unauthorized access to the network
ȏȏ Deployment of any device
ȏȏ Modification or deletion of any system configuration settings

ȏȏ What is your incident response program?

ȏȏ How is your system intrusion detection system configured? Does it include real-time
analysis of system changes or problems? System-generated alerts?
ȏȏ What kinds of security and privacy verification do you use?
ȏȏ Do you have memory protection? What kind?

20. System information integrity

What are the integrity policies and procedures for your IT system? Be prepared to show
documentation.

ȏȏ Do you have security controls? What kind?

ȏȏ What is your process for system information integrity planning and implementation?
ȏȏ How do you protect devices from malicious code?
ȏȏ If a breach occurs, what is the process for corrective action? What is the testing and
certification process for implementing changes in your system?
ȏȏ Are remote commands authenticated? How?
ȏȏ Do you review and analyze traffic and event patterns to spot abnormalities?
ȏȏ Is there monitoring of:

ȏȏ Wireless-to-wireless ȏȏ Host-based devices?

communications? ȏȏ Network devices?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
ȏȏ Are your devices audited?
ȏȏ Are all devices and network servers tested and approved before use?
ȏȏ Does monitoring protect user privacy? How?
ȏȏ Are your integrated systems tracked and monitored regularly?
ȏȏ Is there spam protection at your systems’ entry and exit points? Is it updated regularly
using a centrally managed automated process?
ȏȏ How do you ensure that patches and updates get applied as soon as they become
available?
ȏȏ How do you validate input? Do you use structured messages, prescreening, or syntax
validation?
ȏȏ How do you handle data errors?
ȏȏ What are your information management and retention policies?

ȏȏ How long do you keep data and records?

ȏȏ How do you destroy data?
ȏȏ What is the approval process for data destruction?

ȏȏ How do you prevent predictable failures?

ȏȏ Have you implemented non-persistence for your information security components?
ȏȏ Do you have fail-safe procedures to determine next steps in case your critical system
components lose the ability to communicate? If a communication failure were to occur,
how would you alert your IT operators and provide instructions?
ȏȏ How do you dispose of information, especially PII?
ȏȏ How do you ensure that PII is:

ȏȏ Accurate?
ȏȏ Masked?
ȏȏ Properly classified or tagged?
ȏȏ Encrypted?
ȏȏ Easy to identify and update?

ȏȏ What are your disclosure and privacy policies for collecting and processing PII?
ȏȏ If the owner of PII requests their data, what are your processes for providing it?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Pro-Tip:
Don’t Tackle
NIST Alone.
Preparing for a NIST audit may be one of the
most challenging tasks a compliance or security
professional will undertake. But being able to assure
clients, customers, and prospects about the security
of your systems, your networks, and their data is
worth your time and effort.

And NIST compliance will place you in the proverbial driver’s seat when it
comes time for other security-related audits such as FedRAMP, SOX, and
PCI DSS.
 Given NIST’s complexity, however, this is one
framework you won’t want to manage with
cumbersome, old-fashioned spreadsheets.

A quality governance, risk, and compliance (GRC) software can help you sail
through your NIST audit in a fraction of the time and with much less effort.

No more hunting for documentation; no more searching emails or toggling

screens. Centralized dashboards and simplified self-audits can make NIST com-
pliance a worry-free, Zen-like experience, freeing you and your personnel to
focus on the task at hand: keeping your data, systems, and networks secure and
operational, and your clients and customers happy.
 About Reciprocity
Reciprocity provides ZenGRC to the world’s leading
companies. Our cloud-based solution with fast, easy
deployment, unified controls management, and a cen-
tralized dashboard offers simple, streamlined compli-
ance and risk management, including self-audits, with-
out the hassle and confusion of spreadsheets. Contact
a Reciprocity expert today to request your free demo,
and embark on the worry-free path to regulatory
compliance—the Zen way.

www.reciprocitylabs.com/resources
[email protected]
(877) 440-7971