[Project Description] Data Confidentiality: Identifying and Protecting Assets and Data Against Data Breaches (Draft)

Cawthra, Jennifer; Ekstrom, Michael; Lusty, Lauren; Sexton, Julian; Sweetnam, John; Townsend, Anne

White Paper (Draft)

Obsoleted on December 05, 2019 by [Project Description] Data Confidentiality: Identifying and Protecting Assets and Data Against Data Breaches.

[Project Description] Data Confidentiality: Identifying and Protecting Assets and Data Against Data Breaches

Documentation Topics

Date Published: June 2019
Comments Due: July 29, 2019 (public comment period is CLOSED)
Email Questions to: ds-nccoe@nist.gov

Planning Note (6/24/2019): See the related Draft Project Description, Data Confidentiality: Detect, Respond to, and Recover from Data Breaches, which is also open for comment through July 29, 2019.

Author(s)

Jennifer Cawthra (NIST), Michael Ekstrom (MITRE), Lauren Lusty (MITRE), Julian Sexton (MITRE), John Sweetnam (MITRE), Anne Townsend (MITRE)

Announcement

The National Cybersecurity Center of Excellence (NCCoE) at NIST is announcing the release of the first of two new Data Confidentiality (DC) draft project descriptions.

This component of the DC suite of publications is entitled Identifying and Protecting Assets and Data Against Data Breaches. It seeks to identify what assets (devices, data, and applications) may be affected by an incident as well as the vulnerabilities they may possess that allow incidents to occur. The solution will provide measures such as data protection, access controls, network protections, and other potential defenses. The solution will use security controls that adhere to the NIST Cybersecurity Framework and industry standards and best practices.

This project will result in a freely available NIST Cybersecurity Practice Guide in the Special Publication 1800 series, and we are requesting your feedback to help refine the challenge and scope of the project.

Abstract

An organization must protect its information from unauthorized access and disclosure. Data breaches large and small can have far-reaching operational, financial, and reputational impacts. The goal of this project is to provide a practical solution to identify and protect the confidentiality of an enterprise’s data. This solution identifies what assets (devices, data, and applications) may be affected by an incident as well as the vulnerabilities they may possess that allow incidents to occur. It also explores protection measures to mitigate or remediate these vulnerabilities. The solution will provide measures such as data protection, access controls, network protections, and other potential defenses. The project team will create a reference design and a detailed description of the practical steps needed to implement a secure solution based on standards and best practices. This project will result in a freely available NIST Cybersecurity Practice Guide.

Keywords

data breach; data confidentiality; data loss; data protection; malware; ransomware; spear phishing

Control Families

None selected

Documentation

Publication:
Project Description

Supplemental Material:
Submit Comments (other)
Project homepage (other)

Related NIST Publications:
White Paper (Draft)

Document History:
06/24/19: White Paper (Draft)
12/05/19: White Paper (Final)

Topics

Security and Privacy
asset management; encryption; intrusion detection & prevention

Applications
cybersecurity framework