In 2017, RIS engaged with a contractor providing services to the federal government. The work performed by the contractor included handling of controlled-unclassified information, or "CUI". The government, in turn, was tightening requirements on the handling of CUI in non-federal systems. As such, NIST Special Publication 800-171 was promulgated. This SP provides for security controls selected from NIST Special Publication 800-53.
RIS performed an initial assessment of the existing information security and privacy controls in place. An initial request for "provided by customer" documents demonstrated opportunities to formalize and mature existing practices. One key source of information for both RIS and the customer was the creation of data flow diagrams. The data flow diagrams started with process discussion with the customer:
In this assessment, RIS identified several key areas where improvements were urgently needed. RIS collaborated with the customer on 17 distinct control families, targeting vulnerabilities often overlooked by small organizations. One such vulnerability is in the area of access and authorization. Small teams, especially those with low turnover, may not perceive the need for rigorous access controls because everyone knows each other. Similarly, RIS noted gaps in their business continuity and disaster recovery plans. The lack of past disruptions may have led to a failure in recognizing these risks. RIS also introduced the concept of ongoing risk management, a new approach for the business. Given the constraints of time and resources that are common to all businesses, the control recommendations were tailored to be practical and actionable.
In summary, RIS successfully brought the customer into compliance by implementing a blend of administrative controls and third-party services. This involved using a managed-services provider for end-user device management, conducting vulnerability scans, and activating endpoint detection and response services. Additionally, RIS updated the organization's existing policies and procedures. These guidelines are drawn from respected government and industry standards providers such as NIST, CSRC, ISACA, and (ISC)2. RIS continues to maintain an ongoing relationship with the customer, ensuring they adhere to the newly implemented processes and offering ongoing security training.