Security Compliance: NIST 800-171 Questions

More digestible questions based off of the NIST 800-171 compliance framework.

Access Control

• Is system access limited to approved individuals and limited to only the functions those individuals require to perform their jobs?

• Are system functions restricted to only those deemed necessary?

• Is the use of both personal and organizational devices restricted?

Awareness and Training:

• Are all personnel trained in information security in accordance with their duties and responsibilities?

Audit and Accountability

• Are all systems and machines logged to detect unauthorized or inappropriate system usage?

• Is this information specific and protected?

Configuration Management

• Is there a maintained baseline configuration for all systems?

• Are all changes to system configurations tracked and approved before implementation?

• Do these configurations restrict system usage to only essential functions?

Identification and Authorization

• Are all users identified and authenticated using multi-factor processes?

• Does the organization maintain strict password policies and protect authentication information?

Incident Response

• Does the organization maintain a specific incident response plan?

• Is this plan and the organization’s incident response capability tested regularly?

Maintenance

• Does the organization perform system maintenance regularly?

• Is this system maintenance performed with proper supervision and awareness of confidential information?

Media Protection

• Is physical media containing confidential information properly marked, protected, and disposed of?

Personnel Security

• Are individuals properly screened before accessing confidential information, and is confidential information protected during the termination or transfer of individuals?

Physical Protection

• Is physical access to organizational facilities and systems limited to only authorized individuals and monitored?

Risk Assessment

• Does the organization regularly perform an assessment determining the risk to organizational assets and remediate any found vulnerabilities in accordance with those assessments?

Security Assessment

• Does the organization regularly perform an assessment determining the effectiveness of security controls in organizational systems, monitor said security controls for effectiveness, and correct any deficiencies found in these assessments?

System and Communications Protection

• Does the organization have protections in place to protect information and communications internally and externally?

System and Information Integrity

• Does the organization respond to system updates or alerts in a timely manner and maintain malicious code protection?

• Are systems monitored for suspicious files, indicators of attack, and unauthorized usage?