The National Institute of Standards and Technology (NIST) is an organization within the United States Department of Commerce. One of their responsibilities is the development and publication of standards and guidelines to help government organizations implement best practices for employing Information Technology Security. Most NIST documents are also useful by non-government businesses and organizations. The series of NIST Special Publications numbered SP 800-53 Rev 5.1, SP 800 53A, and SP 800-53B establish common baselines for security and privacy controls. SP 800-53A extends the primary SP 800-53 document by adding guidance on assessing the controls and SP 800-53B supports identification of three different baselines, high, medium, or low risk depending on the needs system or organization. Each baseline includes or excludes controls based on risk-based need.

Security and Privacy Controls

SP 800-53 include controls for both security and privacy. These controls are the plans and actions taken to mitigate or counteract risks. SP800-53 groups the controls into 20 families of controls as shown in table 1. Each family provides a list of controls that are specific within the family.

Control Example

Typically, a control family will have a number of controls within the family. SP 800-53 contains more than 1,000 individual controls. The example shown in figure 1 was selected for its brevity. Each control statement includes the following headers:

• Control - Statement of the control action. This may be lengthy with multiple statements.
• Discussion - A general discussion of the control typically providing guidance on the purpose and use.
• Related Controls - A list of related controls that may overlap or have relevance the current control.
• Control Enhancements - Additional beneficial improvements to enhance the control. For example, adding multi-factor authentication (MFA) to various User Identification and Authorized controls.
• References - A set of links to other documents that cover related topics. The details for these references can be found in the Reference section of the SP800-53 document.

Conclusion

These documents, created by the NIST an agency of the US government, considered by many cybersecurity experts to be valuable for security use in both the federal arena and within businesses and other organizations represent a small part of the security tools available for those of us in the hospitality world to use to protect our guests, employees, and businesses. NIST has published a large set of other security-related works as well. These are well worth investigating and reading.