NISTがSP 800-46 企業向けテレワークセキュリティのガイドの改訂に向けたアイデア募集していますね。。。

こんにちは、丸山満彦です。

COVID-19で在宅勤務デフォルトとなった企業も少なからずあると思います。それは日本だけでなく、海外でも同じですね。今まで例外的に認めていた事務所外からのインターネット越しのアクセスが、主流のアクセス方法になるわけですからセキュリティ的には色々と検討すべきこと、対策の強化、変更等が必要となってきますよね。。。

ということで、BYODブームの時（2016年）に改訂されたNIST SP 800-46 Revision 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Securityの改訂が考えられているようで、NISTのウェブページにコメント募集が行われています。

● NIST

・2020.09.10 (Publications) SP 800-46 Rev. 3 (Draft) PRE-DRAFT Call for Comments: Guide to Enterprise Telework Security

ちなみに現在は

・2016.07.29 (Publications) SP 800-46 Rev. 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security

・[PDF] NIST Special Publication 800-46 Revision 2 Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security

で、ここで皆さんに注目していただきたい点は、コンテンツだけでなく、こういう規定文書の変更の仕方についてのフレームワークです。社内の規程の変更等の時にも参考になると思います。ある意味、規程変更プロセスの標準化的なことに繋がると思います。

例えば、変更の目的を、

Objective 1: Reflect changes in how telework is performed.　
Objective 2: Reflect changes in the role of remote access technologies.
Objective 3: Update all references and mappings to references.
Objective 4: Shorten SP 800-46 to improve its readability.

としていますが、

1. 運用状況（利用環境）の変化を反映する
2. 技術の進歩による変化を反映する
3. リファレンスを更新する
4. 文章を読みやすく（短く）する

という構造をとって、それぞれのポイントを整理すると抜け漏れなく、整合性の取れた形で、効率よく改訂作業ができるように思います。

 

 

 

---

More people are teleworking, many of whom haven’t teleworked before.

Objective	High-Level Changes to Address
Objective 1: Reflect changes in how telework is performed.	Many people are teleworking for extended periods of time, with neither the people nor their devices necessarily visiting the organization’s facilities during that time. Mobile device usage has increased, and mobile devices can do much more than they used to. Teleworkers frequently use services not controlled by the organization, such as ad hoc file sharing, instant messaging/chat, and teleconferencing and videoconferencing services. Organization-controlled and personally-owned technologies are increasingly intermingled. Telework is more often occurring from networks shared with potentially compromised Internet of Things (IoT) devices. By default, the networks that the devices are connected to are untrusted and exposed to malicious attacks.
Objective 2: Reflect changes in the role of remote access technologies.	The migration to cloud-based applications and services has degraded traditional perimeter-based security models. A smaller percentage of telework traffic is passing over an organization’s networks unless that traffic is specifically tunneled through those networks, so organizations are losing visibility and control. Device and access provisioning occur away from the organization’s facilities. Many organizations are adopting zero-trust principles.
Objective 3: Update all references and mappings to references.	The NIST Cybersecurity Framework and SP 800-53 publications have been updated since the last SP 800-46 revision, so their mappings are out of date. The NIST Privacy Framework has been released since the last SP 800-46 revision, so mappings to it could be added to SP 800-46. Several other NIST publications with related material have been created or updated since the last SP 800-46 revision (e.g., SP 800-124 for mobile device security, SP 800-207 for zero-trust architecture, SP 800-77 for IPsec, SP 800-52 for TLS).
Objective 4: Shorten SP 800-46 to improve its readability.	Some of the existing material is already widely known by today’s readers or is no longer relevant to most readers, so it could be condensed, deleted, or moved to auxiliary publications. There may be content in SP 800-46 that is also covered in other NIST publications, so removing such material and pointing readers to the other NIST publications would shorten SP 800-46 and ensure readers are seeing the latest content on the topics. There are additional telework topics to address, like teleconferencing / videoconferencing security practices or secure file transfer technologies, but they are discrete and evolving. It is unclear how much of this new content should be added to SP 800-46 versus producing separate documents on individual topics.