Draft NIST guide helps banks with IT audit


Written by

Large financial institutions often have similar issues to federal agencies when it comes to IT, including keeping track of what is hosted on or connected to an organization’s network.

The National Institute of Standards and Technology is trying to give those organizations a better way to tackle that problem, releasing a draft guide Tuesday that can help financial organizations manage their IT assets.

The document, SP 1800-5, helps financial services organizations move past physical asset tracking with bar codes and databases, giving them real-world examples of commercial solutions for IT asset information, physical security, and vulnerability and compliance information for both hardware and software.

‘Following this guide will help organizations better manage their cybersecurity risk,’ said Nate Lesser, deputy director of NIST’s National Cybersecurity Center of Excellence. ‘A centralized view of asset information, including location, ownership, hardware, software and patch levels improves situational awareness and can reduce security and compliance costs.’

The example in the guide shows how modernizing asset management can be a force multiplier within organizations: It allows for faster responses to security alerts and better management of money devoted to software licensing, and it reduces the attack surface of each device by ensuring software is up to date.

The draft guide, which was in collaboration with 10 technology vendors, does not endorse any particular product. The agency also says the guide was written so organizations can either integrate the plan as a whole or pick a starting point and craft their own unique plan.

The draft guide can be viewed in full on the NCCoE’s website. Comments are open until Jan. 8, 2016.