NIST Standards
NIST SP 800-121
Bluetooth can be intercepted much like other wireless traffic. Bluejacking is the term for the MitM-like attacks on a Bluetooth connection. Bluebugging is an attack that grants hackers remote control over the feature and functions of a Bluetooth device. For a deeper understanding of Bluetooth, particularly its security, consult the standard NIST SP-800-121, currently at rev 2.
NIST SP 800-34
As an example, NIST 800-34 identifies plans in the areas shown in Table 1.1. BCP COOP Crisis comms plan CIP Cyberincident response plan DRP ISCP OEP
NIST SP 800-199
(NIST Special Publication 199) A simple method for categorization can start with a high, medium, and low set of categories. For U.S. government entities, the Federal Information Processing Standard (FIPS) Publication 199 outlines guidelines for applying the qualitative categories. Each of the levels has a precise definition against which the information is evaluated to determine the appropriate categorization level. In Table 2.1, categorization is summarized and depicted as security objective against potential impact.
NIST SP 800-92
Data retention requirements also apply to security and IT operations audit logs. NIST SP 800-92, "Guide to Computer Security Log Management," offers guidance on log archival, log retention, and log preservation. Data retention requirements are based on factors such as operational need, legal requirements, and, in some cases, a specific incident or event that requires an exception to log management policy.
CSD , CSRC, FISMA
Developed by the NIST Computer Security Division (CSD) Computer Security Resource Center (CSRC) and made up of standards and guidelines from FISMA, the framework consists of controls found in various NIST SPs. These publications include FIPS 199, FIPS 200, and NIST SPs 800-53, 800-59, and 800-60, 800-160, 800-137, 800-18. Additional security guidance documents that support the project include NIST SPs 800-37, 800-39, 800-171, 800-171A, 800-53A, and NIST Interagency Report 8011. Without question, the framework is a large compilation and combination of current industry standards and best practices provided by government and private-sector security experts
NIST SP 800-37
Documented in NIST Special Publication 800-37, "Guide for Applying the Risk Management Framework to Federal Information Systems," it prescribes a six-step process through which the federal government manages the risks of operating information systems.
FIPS 199
FIPS 199, "Standards for Security Categorization of Federal Information and Information Systems," requires agencies to categorize all of their information systems based on the potential impact to the agency of the loss of confidentiality, integrity, or availability. Implied in this process is that the agencies must have a comprehensive inventory of systems to apply the categorization standard.
FIPS 200 and NIST SP 800-53
FIPS 200 identifies 17 security-related areas of control, but the details of which specific control is to be applied are found in NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems."
NIST FIPS 200
FIPS Publication 200: Minimum Security Requirements for Federal Information and Information Systems (http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.200.pdf): An integral part of the NIST RMF, this standard emphasizes more security during the development, implementation, and operation of more secure information systems. FIPS 200 defines the 17 families of security controls covered under confidentiality, integrity, and availability of U.S. federal information systems and the information processed, stored, and transmitted by those systems.
NIST SP 800-34 and ISO 22301 and COBIT DS4
Fortunately, standards exist for DR/BCPs as well, including ISO 22301, "Societal security - Business continuity management systems - Requirements" and NIST SP-800-34, "Contingency Planning Guide for Federal Information Systems." COBIT DS4, "Ensure Continuous Service," also addresses disaster recovery and business continuity planning.
NIST SP 800-63A
Identity Assurance Levels In this matter of registration and identity proofing, the U.S. government (not surprisingly) has a great deal of experience, and much at stake. NIST is responsible for advising federal agencies how to do this correctly. NIST Special Publication 800-63A, "Digital Identity Guidelines: Enrollment and Identity Proofing Requirements"
NIST SP 800-38A
In selecting an encryption methodology, the security professional has to take into account the increased computational overhead of the encryption process and the management of the cryptographic process. It is important to use only widely accepted encryption algorithms and widely accepted implementations, like those found in NIST SP 800-38A, "Recommendation for Block Cipher Modes of Operation: Methods and Techniques"
NIST FIPS 199
In the United States, the NIST FIPS 199 can be used for asset classification within the overall risk management process. The best organizational security policy will be developed using the relevant guidance as a foundational source.
NIST SP 800-133
Keys should be generated in a manner appropriate for the cryptographic algorithm being used. The proper method to generate a symmetric key is different from a public/private key pair. NIST SP800-133 (Recommendation for Cryptographic Key Generation) provides specific guidance.
CIP version 5 standards
CIP Version 5 Standards CIP 5 standards exist that cover a range of areas: CIP-002: Identifies and categorizes BES Cyber Assets and their BES Cyber Systems. This is where an impact rating is specified. CIP-003: Specifies consistent and sustainable security management controls that establish responsibility and accountability. CIP-004: Requires an appropriate level of personnel risk assessment, training, and security awareness. CIP-005: Specifies a controlled Electronic Security Perimeter with border protections. CIP-006: Specifies a physical security plan with a defined Physical Security Perimeter. CIP-007: Specifies select technical, operational, and procedural requirements for the BES Cyber Assets and BES Cyber Systems. CIP-008: Specifies incident response requirements. CIP-009: Specifies recovery plan requirements. CIP-010: Specifies configuration change management and vulnerability assessment requirements. CIP-011: Specifies information protection requirements.
NIST SP 800-53r4 and ISO 17799
Compliance with record retention requirements is supplemented via active archiving systems. Internationally accepted standards such as ISO 17799 and NIST SP 800-53 r4 provide guidance on information handling and retention requirements over the full lifecycle of information, in some cases extending beyond the disposal of information systems.
NIST SP 800-171
Many of the risk management and compliance frameworks require organizations to address controls over third-party personnel. In the United States, NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," identifies personnel security controls that vendors must address when managing certain types of sensitive information under federal contracts. Third-party compliance with the Health Insurance Portability and Privacy Act also places expectations on contracting organizations to ensure that their partners use appropriate assurance practices with their personnel
NIST SP 800-70
Many organizations use guides or checklists to accomplish and maintain a secure baseline configuration for their assets. A leading source that is publicly available is the National Checklist Program (NCP), defined by NIST SP 800-70. This is the U.S. government repository for up-to-date and detailed guidance for security configurations.
NIST IR 7622
NIST The U.S. government began directly addressing cyber supply chain risk as a separate issue with the publication of NIST IR 7622, "Notional Supply Chain Risk Management Practices for Federal Information Systems." This work recognizes that the actions required of the entities in the supply chain will change depending on their role, as will the level and type of control to be applied. The document identifies 10 practices that should be taken into account in addressing supply chain risk.
NIST SP 800-150
NIST 800-150: NIST Special Publication 800-150, "Guide to Cyber Threat Information Sharing," is one of the most comprehensive sources describing how organizations can share cyberthreat information to improve their own and other organizations' security postures.
NIST SP 800-154
NIST 800-154 Data-Centric Threat Modeling In 2016, NIST placed for public comment a threat modeling approach centered on protecting high-value data. This approach is known as NIST 800-154, "Data-Centric Threat Modeling." It explicitly rejects that best-practice approaches are sufficient to protect sensitive information, as best practice is too general and would overlook controls specifically tailored to meet the protection of the sensitive asset. In this model, the analysis of the risk proceeds through four major steps.
NIST SP 800-53
NIST 800-53, media should be sanitized "prior to disposal, release out of organizational control, or release for reuse." Disposal of media doesn't acknowledge a need to reuse the media, but sanitization does.
NIST Cybersecurity for IoT Programs
NIST Cybersecurity for IoT Program: Accessible at https://www.nist.gov/programs-projects/nist-cybersecurity-iot-program, this program is creating standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed.
NIST SP 1500-4
NIST SP 1500-4: NIST Big Data Interoperability Framework: Volume 4, Security and Privacy: This document is authored by the NIST Big Data Public Working Group (NBD-PWG) and is accessible at https://nvlpubs .nist.gov/nistpubs/SpecialPublications/NIST.SP.1500-4.pdf. The group is working to develop consensus on important, fundamental concepts related to Big Data, including privacy and security topics. Within the special publication are security and privacy use cases, proposed security and privacy taxonomies, details of the Security and Privacy Fabric of the NIST Big Data Reference Architecture (NBDRA), and initial mapping of the security and privacy use cases to the NBDRA.
NIST SP 800-101
NIST SP 800-101 Revision 1, "Guidelines on Mobile Device Forensics," has a self-explanatory title. It covers the unique requirements for acquiring, preserving, examining, analyzing, and reporting on the digital evidence present on mobile devices.
NIST SP 800-115
NIST SP 800-115 is an overview of the key elements of security testing. It isn't a comprehensive guide, but it does direct organizations on how to plan and conduct technical information security testing, analyze the findings, and develop remediation strategies. This guidance on NIST methodology includes: Security Testing and Examination Overview-115 is an overview of the key elements of security testing. It isn't a comprehensive guide, but it does direct organizations on how to plan and conduct technical information security testing, analyze the findings, and develop remediation strategies. This guidance on NIST methodology includes: Security Testing and Examination Overview
NIST SP 800-137
NIST SP 800-137 addresses continuous monitoring within the context of U.S. government systems
NIST SP 800-145 and ISO/IEC 17788
NIST SP 800-145 and ISO/IEC 17788 define a number of characteristics that distinguish cloud computing:
NIST SP 800-30 rev 1
NIST SP 800-30 Rev. 1: Guidance for conducting risk assessments of federal information systems and organizations. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process.
NIST SP 800-30
NIST SP 800-30, "Risk Management Guide for Information Technology Systems" NIST SP 800-30 is a U.S. federal government standard known as the "Risk Management Guide for Information Technology Systems." Its focus is on information technology threats and their relationship with information security risks. It defines a risk assessment process through a sequence of activities that frame a rational risk analysis approach. The NIST SP 800-30 risk assessment activities are as follows: System characterization Threat identification Vulnerability identification Control analysis Likelihood determination Impact analysis Risk determination Control recommendations Results documentation
NIST SP 800-37
NIST SP 800-37, "Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy"
NIST SP 800-53 rev 4
NIST SP 800-53 Rev 4: Security and Privacy Controls for Federal Information Systems and Organizations (https://csrc.nist.gov/publications/detail/sp/800-53): This is a catalog of security controls for all U.S. federal information systems except those related to national security (e.g., DoD). It is used by organizations to establish the baseline security controls, tailor security controls, and supplement security controls based on worst-case scenario planning and assessment of risk for the organization.
NIST SP 800-53/53A and NIST SP 800-37
NIST SP 800-53/53A: As mentioned before and as used with NIST 800-37, these are framework documents that inform many other related control standards sources. Although adequate and reasonable for use in commercial organizations, the NIST standards recommend security controls for U.S. federal information systems and organizations. They cover security controls for areas including incident response, access control, ability for disaster recovery, and business continuity. NIST SP 800-53A is used to document and assess security controls for effectiveness.
NIST RMF and ISO 27000 Framework
the NIST Risk Management Framework and the ISO 27000 framework, expect the organization to perform some level of business continuity planning
NIST SP 800-53A
NIST SP 800-53A Rev 4: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final): Used as a complementary guide, it provides a set of procedures for conducting assessments of security controls and privacy controls employed within U.S. federal information systems and organizations. The assessment procedures, executed at various phases of the system development lifecycle, are consistent with the security and privacy controls in NIST SP 800-53, Revision 4. It is applicable to private-sector organizations too.
NIST SP 800-53r4 and NIST SP 800-115
NIST SP 800-53r4, "Assessing Security and Privacy Controls in Federal Information Systems and Organizations" NIST SP 800-115, "Technical Guide to Information Security Testing and Assessment"
NIST SP 800-60
NIST SP 800-60: Guide for Mapping Types of Information and Information Systems to Security Categories (http://nvlpubs.nist.gov/nistpubs/Legacy/ SP/nistspecialpublication800-60v1r1.pdf): This assists U.S. federal government agencies in categorizing information and information systems. The guide's objective is to facilitate application of appropriate levels of information security according to a range of levels of impact or consequences that might result from the unauthorized disclosure, modification, or use of the information
NIST SP 800-61
NIST SP 800-61, "Computer Security Incident Handling Guide"
NIST SP 800-63-3
NIST SP 800-63-3 "Digital Identity Guidelines" (https://doi.org/10.6028/NIST .SP.800-63-3).
NIST SP 800-64
NIST SP 800-64 outlines the key security activities for this phase as follows: A transition plan for the software Archiving of critical information Sanitization of media Disposal of hardware and software
NIST SP 800-86
NIST SP 800-86, "Guide to Integrating Forensic Techniques into Incident Response," overlaps significantly in terms of content with the two previous sources.
NIST SP 800-92
NIST SP 800-92, "Guide to Computer Security Log Management," is a U.S. federal government standard that provides practical enterprise guidance on effective log management practices. The standard is available at
NIST SP 800-137
NIST SP800-137, "Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations"
NIST SP 800-55
NIST SP800-55, "Performance Measurement Guide for Information Security"
NIST SP 800-64 rev 2
NIST SP800-64 Revision 2 NIST Special Publication 800-64, "Revision 2: Security Considerations in the System Development Life Cycle," is a standard intended to guide the introduction of essential security services into the established system development lifecycle. Although this is a U.S. federal government standard, use of this special publication guidance has many benefits to any organization.
NIST SP 800-145
NIST Special Publication 800-145 seeks to establish their vision of the traits, or "essential characteristics," of cloud computing. Essential characteristics of cloud computing, per NIST 800-145, are as follows:
NIST SP 800-34
NIST Special Publication 800-34, "Contingency Planning Guide for Federal Information Systems," provides a base of practice for the development of resilience in information systems operations. NIST, through its collaborative process of standards development, took into account a broad range of industry and nongovernmental BCM practices. As a result of this process, the framework has been widely adopted by non-U.S. government organizations.
NIST SP 800-52
NIST Special Publication 800-52, Guidelines for the Selection, Configuration and Use of Transport Layer Security (TLS) Implementations, April 2014 (https://doi.org/10.6028/NIST.SP.800-52r1)
1NIST SP 800-50 and NIST SP 800-16
NIST Special Publications 800-50 and 800-16 discuss the strategic/policy implications and the tactical implementation of awareness programs, respectively.
NIST SP 800-82
NIST and the UK National Centre for the Protection of National Infrastructure (CPNI). See, for example, NIST publication SP800-82.
NIST SP 800-94
NIST produced a Special Publication, 800-94, titled "Guide to Intrusion Detection and Prevention Systems (IDPS)," which you
NIST SP 800-63B
Note that sending an SMS text message to the user's phone is no longer recommended by NIST (in their publication SP800-63B), as there have been a number of successful exploits against this approach.
NIST SP 800-30
One of the most widely used risk assessment methodologies is the process characterized in NIST 800-30, "Guide for Conducting Risk Assessments."
NERC CIP
Over the past two decades, the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) published a set of standards designed to enforce good cybersecurity practice and provide an auditable framework for compliance. This framework has been influenced by the NIST standard but is a standalone framework specific to the power industry.
Parkerian Hexad
Parkerian Hexad (see Figure 1.2). The Parkerian Hexad contains the following concepts: Confidentiality: The limits on who has access to information Integrity: Whether the information is in its intended state Availability: Whether the information can be accessed in a timely manner Authenticity: The proper attribution of the person who created the information Utility: The usefulness of the information Possession or control: The physical state where the information is maintained
COSO
The Committee of Sponsoring Organizations of the Treadway Commission (COSO): With a view on information security as part of enterprise risk management, COSO originated from the financial industry and assists with integrating strategy and performance within overall enterprise risk management. The five components (Governance and Culture, Strategy and Objective-Setting, Performance, Review and Revision, and Information, Communication, and Reporting) in the updated framework are supported by a set of principles to assess effectiveness.
ISO/NIST/ITIL
The ISO/NIST/ITIL frameworks are often leveraged as guidelines; however, they may become policies or standards if the organization has a compliance expectation. Other sources of guidelines include manufacturers' default configurations, industry-specific guidelines, or independent organizations such as the Open Web Application Security Project (OWASP) work in software development.
NIST RMF
The activities in this step overlap processes identified in other parts of the NIST Risk Management Framework. This overlap is intended to explicitly recognize the integrated and holistic nature of the NIST 800 series processes.
NIST SP 800-40r3
The results of the scans can then be compared to the organization's definitive APL and approved pre-coded apps. A guide for implementing a software monitoring and reporting process is NIST SP 800-40r3. This guidance covers identifying which software and versions of software are installed on each host.
THREAT MODELING
There are many different threat modeling methodologies. Some of the most widely used are STRIDE, NIST 800-154, PASTA, and OCTAVE, each of which are explored next.
NIST SP 800-137
There are several steps to implementing ISCM as outlined in NIST SP800-137. Define the strategy based on the organization's risk tolerance. Formally establish an ISCM program by selecting metrics. Implement the program and collect the necessary data, ideally via automation. Analyze and report findings, and determine the appropriate action. Respond to the findings based on the analysis and use standard options, such as risk mitigation, risk transference, risk avoidance, or risk acceptance. Plan strategy and programs as needed to continually increase insight and visibility into the organization's information systems.
NIST SP 800-63a
This document defines technical requirements for each of three identity assurance levels. This publication supersedes corresponding sections of NIST Special Publication (SP) 800-63-2. These guidelines provide technical requirements for federal agencies implementing digital identity services and are not intended to constrain the development or use of standards outside of this purpose.
NIST SP 800-88
This scenario does not preclude the organization from mandating the highest levels of sanitization if the assets are deemed critical or the data is sensitive. Some different tactics to achieve desired levels of security assurance with specific steps and instructions are available in NIST SP 800-88, "Guidelines for Media Sanitization"
NIST FIPS 199
U.S. NIST Federal Information Processing Standards: FIPS Publication 199: Standards for Security Categorization of Federal Information and Information Systems (http://nvlpubs.nist.gov/ nistpubs/FIPS/NIST.FIPS.199.pdf): This provides a standard for categorizing U.S. federal information and information systems according to a government agency's level of concern for confidentiality, integrity, and availability and the potential impact on agency assets and operations, should their information and information systems be compromised through unauthorized access, use, disclosure, disruption, modification, or destruction. This is another directive primarily aimed at U.S. government agencies, but it can be applicable and useful for private-sector organizations.
NCP and NIST SP 800-70
U.S. National Checklist Program (https://nvd.nist.gov/ncp/repository): The NCP is a repository of publicly available security checklists (or benchmarks) that provide detailed low-level guidance on setting the security configuration of operating systems and applications. Useful for organizations using SCAP tools. SCAP enables validated security products to automatically perform configuration checking using NCP checklists. Established by NIST and defined by NIST SP 800-70, the NCP is valuable in public and private organizations.
NIST SP 800-37
U.S. National Institute of Standards and Technology Special Publications (NIST SP): (http://csrc.nist.gov/groups/SMA/fisma/framework.html) NIST develops cybersecurity standards, guidelines, tests, and metrics to protect federal information systems. NIST SP 800-37 Risk Management Framework: Similar to the DoD RMF, the special publications have broader access and applicability to both public and private- sector organizations. Federal government agencies outside of the DoD are subject to the FISMA framework, of which NIST SP 800-37 is a cornerstone directive.
NIST FIPS 199 and NIST SP 800-60
United States: NIST Federal Information Processing Standard 199, "Standards for Security Categorization of Federal Information and Information Systems" United States: NIST Special Publication (SP) 800-60, "Guide for Mapping Types of Information and Information Systems to Security Categories" (this is considered the "how-to" manual for FIPS 199)
NIST SP 800-92
While Chapter 6 covers this topic in a good amount of detail, this section emphasizes effective software security logging management by first referencing NIST SP 800-92, the "Guide to Computer Security Log Management," as a basis for good log management practices and then by directing the security practitioner to industry best-practice guidance in the "OWASP Logging Cheat Sheet."
NIST FIPS 140-2
. It provides U.S. government-grade security by implementing the National Institute of Standards and Technology (NIST) FIPS 140-2 compliant AES encryption algorithm and 802.1x-based authentications, and Counter Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP).
CSIS
Center for Strategic and International Studies (CSIS) Critical Controls for Effective Cyber Defense: Referred to as the 20 Critical Controls, this is a document outlining 20 crucial controls that form a risk-based minimum level of information security measures for an organization to implement. The controls are technical in design and focus on high-risk cyber attacks. They are a subset of the comprehensive controls found in other frameworks, most notably NIST SP 800-53/53A.
CRL and OCSP
Certificate Revocation List (CRL) [RFC5280] or in Online Certificate Status Protocol (OCSP) [RFC6960] responses.
FISMA
FISMA: Established to produce several key security standards and guidelines required by congressional legislation. These publications include FIPS 199, FIPS 200, and NIST SPs 800-37, 800-39, 800-53, 800-53A, 800-59, 800-60, and 800-171.
NIST SP 800-175B
FROM NIST SPECIAL PUBLICATION SP800-175B, GUIDELINE FOR USING CRYPTOGRAPHIC STANDARDS IN THE FEDERAL GOVERNMENT: CRYPTOGRAPHIC MECHANISMS
NIST SP 800-90 and ISO 18031
Failing that, one must use a pseudo-random number generator designed for key generation. Guidance on appropriate algorithms may be found in the NIST SP800-90 series of publications, the ISO 18031 standard, and ANSI.
NIST SP 800-63-3
For guidance about good password policies, as well as recommendations about sound implementation of password algorithms such as salting, we recommend you study the 2017 password recommendations released by NIST. (See https://pages.nist.gov/800-63-3/sp800-63-3.html.)
NIST SP 800-124
For organizations keen on managing mobile devices in a consistent manner, centralized management of mobile devices is key. Additionally, NIST Special Publication 800-124 (currently at rev 1) covers not only management but also aspects of improving secure access and authentication of mobile devices at a higher level. For example, a mobile security professional may reconsider granting access to the internal network by mobile devices solely by credentials. Instead, smartphones, particularly personally owned devices, can be jailbroken or "rooted." Therefore, an organization should consider checking the connecting device's integrity before proceeding to grant full access to the network. To that effect, NIST 800-124 goes into depth on centralized management of mobile device security. NIST SP 800-124r1 covers small form-factor mobile devices, which excludes laptops.
NIST SP 800-53 and ISO 27002
ISO 27002 and NIST SP 800-53 provide foundational control standards for the industry worldwide. An illustration of the families of controls that constitute these standards is found in Figure 2.6. This side-by-side comparison demonstrates where the security standards share commonality and differ from each other.
NIST SP 800-53r4 and NIST SP 800-115
IST SP 800-53r4, "Assessing Security and Privacy Controls in Federal Information Systems and Organizations" NIST SP 800-115, "Technical Guide to Information Security Testing and Assessment"
NIST SP 800-92 and ISO 27001/27002
Policies and procedures for log management should be documented and aligned to standards. ISO 27001 and ISO 27002 both provide basic guidance on logging, and NIST provides SP 800-92, "Guide to Computer Security Log Management." Since logging is driven by business needs, infrastructure and system design, and the organization's functional and security requirements, specific organizational practices and standards need to be created and their implementation regularly assessed.
NIST SP 800-53
SCAP is an automated vulnerability management protocol that provides a structured way to measure compliance with policy for systems. Organizations can use SCAP to automate a process to make sure systems are within configuration standards according to NIST SP 800-53. The SCAP content is informed by the National Vulnerability Database (NVD), authored by the U.S. government. SCAP is designed to perform initial measurement and continuous monitoring of security settings against the established set of security controls.
NIST SP 800-33
The National Institute of Standards and Technology (NIST) Special Publication 800-33, "Underlying Technical Models for Information Technology Security," included the CIA Triad as three of its five security objectives, but added the concepts of accountability (that actions of an entity may be traced uniquely to that entity) and assurance (the basis for confidence that the security measures, both technical and operational, work as intended to protect the system and the information it processes). The NIST work remains influential as an effort to codify best-practice approaches to systems security.
NIST SP 800-122
Using NIST SP 800-122, some common examples of PII include the following: Name, such as full name, maiden name, mother's maiden name, or alias Personal identification number, such as Social Security number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, or financial account or credit card number Address information, such as street address or email address Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people Telephone numbers, including mobile, business, and personal numbers Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), X-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry) Information identifying personally owned property, such as vehicle registration number or title number and related information Information about an individual that is linked or linkable to one of the previous (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information)
NIST SP 800-53 rev 4
Using NIST SP 800-53 (Rev 4), security professionals should ensure that the required software and associated documentation are in accordance with contract agreements and copyright laws. The controls call for tracking software use to prevent unauthorized copying and distribution.