Tech & Media Companies Benefit from New NIST Guidance

On September 23, 2020, The National Institute of Standards and Technology (NIST) published SP-800-53 rev. 5, titled Security and Privacy Controls for Information Systems and Organizations. The publication outlines and integrates the next generation of security and privacy controls that organizations should undertake to mitigate risk. The standard focuses on supply chain risk and personally identifiable information processing and transparency.

The NIST guidance is especially timely given that during the COVID-19 pandemic, many organizations have evolved their business models and contingency plans due to the impact of employees’ telecommuting and remote access, as well as the increased need to offer services to clients virtually, improve margins, and rethink supply chains.

• Tech and media companies face compounding challenges, including longstanding pre-COVID worker shortages, disruptive technologies or business models and heavy reliance on interdependent partnerships with third parties.
• Additionally, for tech and media companies which are either based in New York or subject to the New York State Department of Finance (23 NYCRR 500) also face the requirement of assessing and addressing risks to data security when working with third parties. This requirement is a significant security challenge—especially for middle-market companies with limited executive bandwidth and resources—due to limited visibility into third-party practices.

To support clear decision-making, attract top-tier suppliers and maintain employee trust, organizations need basic controls—“blocking and tackling”—to mitigate technology, cyber, privacy, regulatory or fraud risk to their enterprises.  The new NIST guidance provides a baseline for assessing and revising controls on data privacy and third-party supply chain security given the impact of increased remote access by employees and customers. These are the same prescriptive measures referenced by regulators to hold organizations accountable for their control postures.
 

Applying NIST Security and Privacy Controls for Information Systems and Organizations

The revised guidance by NIST provides pragmatic best practices for organizations to manage the services provided by third parties, such as:

• Updating risk management policies and developing and implementing a separate supply chain risk policy
• Expanding the risk management program to cover threats at each stage of development, design, delivery and integration of IT systems and operations that include third-party services or interaction
• Protecting data from unauthorized disclosure and modification by third parties

Most middle-market organizations, especially those led by entrepreneurs focused on growth, benefit from specialized assistance from data privacy professionals with experience implementing cost-effective controls at comparable companies.  BDO recommends that leaders consult with their internal IT and controls teams and/or qualified privacy advisors to determine the current state. An additional recommendation is to determine potential improvements by using a diagnostic approach, focused on questions such as:

1. Does the organization know where all Personally Identifiable Information (PII) is located?
   1. Are updated controls in place over the processing, transparency of reporting and access of PII?
   2. Does the organization have a data classification library that incorporates data privacy labelling (such as flags)?
   3. Are there alerts when sensitive data is accessed or exfiltrated from the enterprise? (It is very common for organizations to be unaware of residual access that outsiders may have.)
   4. Has the organization compared existing controls to the NIST proposed controls? (NIST 800-53 rev. 5 provides updated guidance for organizations to safeguard PII processing and transparency.)
2. Does the organization understand the status of controls to help mitigate the latest threat vectors pertaining to cyber-resiliency, secure systems design and governance?
   1. What governance controls exist over systems design given the latest approaches such as DEVOPS?
   2. Who within and outside of the organization has access to Infrastructure as-a-Service (for example)?
   3. How current are cybersecurity table-top exercise scenarios?
3. Has the organization updated its enterprise risk methodologies to cover supply chain risk management?
   1. NIST has identified the following supply chain risks:  theft, malicious systems software and systems development and manufacturing in the supply chain. Has the organization assessed risks in each of these areas?
   2. NIST provides a systematic approach of risks and controls to consider for proactive assessment of supply chain and third-party risks given current threats. Has the organization compared existing controls to the NIST proposed controls?
4. Does the organization have PII subject to the European Union General Data Protection Regulation (GDPR) covering data protection and privacy in the EU and the European Economic Area?
   1. NIST 800-53 rev. 5 provides guidance to organizations on methods to provide security and privacy safeguards. Has the organization compared existing controls to the NIST proposed controls?
   2. For the controls required with GDPR, are there opportunities to rationalize all the controls to simplify operations, streamline appropriate data transfer, and reduce costs?

BDO can help the organization evaluate the applicability of NIST suggested controls, as well as provide feedback on potential impact of changes in regulatory scrutiny on an organization’s governance, privacy and security processes.