GuardWare INSIGHT helps organisations conform to NIST 800-171, Revision 2
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination
controls pursuant to and consistent with applicable law, regulations, and government-wide policies.
What is NIST 800-171, Revision 2?
As computing platforms and technologies are ubiquitously deployed worldwide and systems and
components are increasingly interconnected through wired and wireless networks, the susceptibility of
Controlled Unclassified Information (CUI) to loss or compromise grows.
The purpose of NIST SP 800-171 is to provide federal agencies with recommended security requirements
for protecting the confidentiality of CUI, when the CUI is resident in a non-federal information system and
with organizations such as contractors.
What is GuardWare INSIGHT?
GuardWare INSIGHT is an information security solution that helps companies monitor and secure sensitive
information such as CUI. The following are some of the key capabilities of this solution:
1. Discovers and classifies sensitive information from various sources including ERPs, databases and
file-stores.
2. Provides data breach monitoring and alerting. Monitors the access, deletion, modification and
movement of sensitive data (files and text) on all corporate and non-corporate channels and alerts
if data breach occurs.
3. Pre-empt issues by monitoring possible malicious changes in user behaviour using advanced
behaviour analytics and machine learning.
4. Automates risk and security assessment processes.
5. Monitors the organisational environment using configuration management features such as
software auditing and highlights issues such as the use of malicious programs or out-of-date PC
configurations.
How can GuardWare INSIGHT help companies comply with NIST SP 800-171, Revision 2?
Below is the summary table showcasing INSIGHT applicability. The summary table is followed by detailed break down and mapping of GuardWare INIGHT to NIST SP 800-171 Rev 2 security requirements.
• Green Colour depicts most technical major technical controls are addressed.
• Orange colour depicts partial technical controls are addressed.
NIST SP 800-171 Security Families
GuardWare INSIGHT Applicability
Access Control
Partial Coverage
Awareness and Training
Most Technical Requirements Covered
Audit and Accountability
Most Technical Requirements Covered
Configuration Management
Most Technical Requirements Covered
Identification and Authentication
Partial Coverage
Incident response
Most Technical Requirements Covered
Maintenance
Partial Coverage
Media Protection
Most Technical Requirements Covered
Personnel Security
Most Technical Requirements Covered
Physical Protection
Not Covered
Risk Assessment
Most Technical Requirements Covered
Security Assessment
Most Technical Requirements Covered
System and Communications Protection
Partial Coverage
System and Information Integrity
Partial Coverage
Detailed Mapping of NIST SP 800-171 Revision to GuardWare INSIGHT
• Yellow colour depicts basic security requirements of the security family.
• Green Colour depicts most technical major technical controls are addressed
• Orange colour depicts partial technical controls are addressed.
Family
Basic/Derived Security Requirement
Identifier
Security Requirement
GuardWare INSIGHT Applicability
Access Control
Basic
3.1.1
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
• Facilitates the application of access control policies on sensitive
information.
• Provides a complete and non-repudiable audit trail. Information owners
and IT security receive alerts and can review actions in the case of
unauthorised access.
Access Control
Basic
3.1.2
Limit system access to the types of transactions and functions that authorized users are permitted to execute.
-
Access Control
Derived
3.1.3
Control the flow of CUI in accordance with approved authorizations.
Allows for specific monitoring and control of CUI data. Movement and usage of CUI data can be blocked or alerted upon when emailed, copied to USB, printed or uploaded to Web.
Access Control
Derived
3.1.4
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
INSIGHT helps to decentralise information monitoring and control. The system offers several roles with the goal of separating duties among IT, IT Sec, Information Owners and Top Management.
Access Control
Derived
3.1.6
Use non-privileged accounts or roles when accessing nonsecurity functions
Monitors all actions of users and alerts if privileged functions are performed by non-privileged accounts.
Access Control
Derived
3.1.7
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
Monitors execution of privileged functions by users and reports about the event.
Access Control
Derived
3.1.8
Limit unsuccessful logon attempts.
-
Access Control
Derived
3.1.9
Provide privacy and security notices consistent with applicable CUI rules.
Alerts on the access and usage of CUI information. Alerts can be customised to specific CUI information.
Access Control
Derived
3.1.10
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity
-
Access Control
Derived
3.1.11
Terminate (automatically) a user session after a defined condition.
Supports logging off, hibernating of devices if not in use
Access Control
Derived
3.1.12
Monitor and control remote access sessions.
Monitors and controls the use of remote sessions established via VPN applications or Web.
Access Control
Derived
3.1.13
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
-
Access Control
Derived
3.1.14
Route remote access via managed access control points
-
Access Control
Derived
3.1.15
Authorize remote execution of privileged commands and remote access to security-relevant information.
-
Access Control
Derived
3.1.16
Authorize wireless access prior to allowing such connections
Reports on the usage of wireless connections. Alerts on the use unsanctioned wireless connections.
Access Control
Derived
3.1.17
Protect wireless access using authentication and encryption
Reports on the usage of wireless connections. Alerts on the use unsanctioned wireless connections.
Access Control
Derived
3.1.18
Control connection of mobile devices.
Reports on connections used by Mobile Devices. Ability to whitelist connections to be used
Access Control
Derived
3.1.19
Encrypt CUI on mobile devices and mobile computing platforms.[23]
-
Access Control
Derived
3.1.20
Verify and control/limit connections to and use of external systems.
Monitors access of external online systems. Allows for granular control over who can and cannot access external systems. Allows for block, alert or silently monitor and report capabilities on access of remote external systems.
Access Control
Derived
3.1.21
Limit use of portable storage devices on external systems.
Monitors and controls the use of external storage devices. The control can be specific to particular user, device and type of information like CUI. The system also alerts on the usage of non-corporate, unencrypted external storage devices.
Access Control
Derived
3.1.22
Control CUI posted or processed on publicly accessible systems.
GuardWare INSIGHT monitors and controls all forms of offline and online communication channels. Monitoring and Control can focused on specific CUI information. These include: o Any corporate sources like emails, teams, data sharing apps and SharePoint. o Offline sources like USBs, Bluetooth, print and phone sync. o Any non-corporate encrypted channels like free emails, cloud, websites, chat including WhatsApp, WeChat and Telegram.
Awareness and Training
Basic
3.2.1
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
INSIGHT helps to facilitate the requirement of security risk awareness
among company staff.
• GuardWare INSIGHT assists in the implementation of the Trusted Insider
Programme as required under DISP. It implements the Trusted Insider
controls as per the ACSC ISM.
• GuardWare INSIGHT’s user behaviour analytics capabilities help to raise
awareness among staff about the importance of securing sensitive
information. This is done by monitoring their behaviour and producing alerts when they perform risky actions such as syncing CUI to personal
mobile phone or sending it to the wrong person. The reports are sent not
only to IT but also to the department heads, who can assist in raising
awareness about the risky actions performed by their staff.
• The detected incidents are used by company’s IT security teams to
educate the users about where they have gone wrong, raise their
awareness towards cyber security, and in the case of malicious activity take
Awareness and disciplinary actions.
Awareness and Training
Basic
3.2.2
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
-
Awareness and Training
Derived
3.2.3
Provide security awareness training on recognizing and reporting potential indicators of insider threat
-
Audit and Accountability
Basic
3.3.1
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity
Maintains complete Audit log of all user and admin actions. This includes system access and changes made. Logs cannot be deleted. The system also has the ability to alert in case it is tempered with. Further system has built in anti-tempering features which prevent privileged users from deleting, modifying, changing and deleting any of the system services and logs.
Audit and Accountability
Basic
3.3.2
Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
Provides a complete and non-repudiable audit trail. Information owners
and IT security receive alerts and can review actions in the case of risky an
unauthorised activities. All monitoring is done from a user’s point of view.
Hence it facilitates an investigation. The following information is available
regarding each transgression:
o User involved.
o Information involved down to content level.
o Device involved.
o Date and time.
o Exfiltration method used such as copying to USB, printing, etc.
o Visual evidence in the form of screenshots.
o Network or communication channel used.
o User’s action before and after the transgression.
o Behaviour trends of the user.
Audit and Accountability
Derived
3.3.3
Review and update logged events.
Provide several means of reviewing and analysing logs. This includes Dashboard, email and excel based analysis tools.
Audit and Accountability
Derived
3.3.4
Alert in the event of an audit logging process failure
Alerts if logging fails
Audit and Accountability
Derived
3.3.5
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
Provide several means of reviewing and analysing logs. This includes Dashboard, email based alerting, risk based reporting, Artificial Intelligence based reports and excel based analysis tools. Reports can be generated on demand basis based on specific conditions and scenarios required for investigation.
Audit and Accountability
Derived
3.3.6
Provide audit record reduction and report generation to support ondemand analysis and reporting.
-
Audit and Accountability
Derived
3.3.7
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records
-
Audit and Accountability
Derived
3.3.8
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Logs cannot be deleted. The system also has the ability to alert in case it is tempered with. Further system has built in anti-tempering features which prevent privileged users from deleting, modifying, changing and deleting any of the system services and logs.
Audit and Accountability
Derived
3.3.9
Limit management of audit logging functionality to a subset of privileged users.
The system supports multiple roles. Different users based on their roles can be given access to specific logs. Logs can be divided based on user groups and type of log data.
Configuration Management
Basic
3.4.1
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
• GuardWare INSIGHT’s offers hardware, software and network audit
modules as part of the one-stop solution. These modules help to baseline
the hardware and software configurations of a company’s network and to
report any unauthorised changes. For example, the software audit module
highlights any unauthorised software installed in the devices or any nonstandard configuration of installed software.
• INSIGHT blocks (blacklisting) use of unauthorised applications whether
desktop or online variants.
• INSIGHT blocks (blacklisting) use of unauthorised network connections.
These include wired and wireless connections.
• The requirement also relates to data. In that aspect GuardWare INSIGHT
maintains a real-time full inventory of the location and usage of marked CUI
documents within any given period. This includes documents maintained in
network stores, PCs, and mobile devices.
• Helps in taking an inventory of the digital assets by performing data
discovery scans to locate where sensitive data is stored.
• Automatically classifies sensitive data which includes the requirements of
handling Defence Information.
• Ensures proper use of sensitive assets by monitoring their access, usage,
transfer, and storage.
Configuration Management
Basic
3.4.2
Establish and enforce security configuration settings for information technology products employed in organizational systems.
-
Configuration Management
Derived
3.4.3
Track, review, approve or disapprove, and log changes to organizational systems
-
Configuration Management
Derived
3.4.4
Analyze the security impact of changes prior to implementation.
-
Configuration Management
Derived
3.4.5
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
-
Configuration Management
Derived
3.4.6
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
-
Configuration Management
Derived
3.4.7
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services
• INSIGHT blocks (blacklisting) use of unauthorised applications whether
desktop or online variants.
• INSIGHT blocks (blacklisting) use of unauthorised network connections. These include wired and wireless connections.
• Monitors usage of all online and desktop based installed software
Configuration Management
Derived
3.4.8
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-byexception (whitelisting) policy to allow the execution of authorized software.
-
Configuration Management
Derived
3.4.9
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-byexception (whitelisting) policy to allow the execution of authorized software.
-
Identification and Authentication
Basic
3.5.1
Identify system users, processes acting on behalf of users, and devices.
GuardWare INSIGHT partially fulfils this requirement, as it is largely to do
with having an appropriate identity and access management system and
password management system in place.
Following is how INSIGHT assists:
• Facilitates the application of access control policies on sensitive information.
• Provides a complete and non-repudiable audit trail. Information owners and IT security receive alerts and can review actions in the case of unauthorised access.
• Helps to ensure defence classified data and ITAR related information is
being accessed by authorised users.
Identification and Authentication
Basic
3.5.2
Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
Identification and Authentication
Derived
3.5.3
Use multifactor authentication for local and network access to privileged accounts and for network access to nonprivileged accounts.[24] [25].
Identification and Authentication
Derived
3.5.4
Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
Identification and Authentication
Derived
3.5.5
Prevent reuse of identifiers for a defined period.
Identification and Authentication
Derived
3.5.6
Disable identifiers after a defined period of inactivity
Identification and Authentication
Derived
3.5.7
Enforce a minimum password complexity and change of characters when new passwords are created.
Identification and Authentication
Derived
3.5.8
Prohibit password reuse for a specified number of generations.
Identification and Authentication
Derived
3.5.9
Allow temporary password use for system logons with an immediate change to a permanent password.
-
Identification and Authentication
Derived
3.5.10
Store and transmit only cryptographicallyprotected passwords.
-
Identification and Authentication
Derived
3.5.11
Obscure feedback of authentication information
-