NIST publishes new information security guidelines.NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. recently released five new information security guidelines as NIST special publications (SPs): * NIST SP 800-35: Guide to Information Technology Security Services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the . The guide provides assistance with the selection, implementation, and management of IT security services by guiding organizations through the various phases of the IT security services life cycle. The factors to be considered when selecting, implementing, and managing IT security services include the type of service arrangement; service provider qualifications, operational requirements (programming) operational requirements - Qualitative and quantitative parameters that specify the desired capabilities of a system and serve as a basis for determining the operational effectiveness and suitability of a system prior to deployment. and capabilities, experience, and viability; trustworthiness of service provider employees; and the service provider's capability to deliver adequate protection for the organization systems, applications, and information. * NIST SP 800-36: Guide to Selecting Information Security Products. The selection of IT security products is an integral part of the design, development, and maintenance of an IT security infrastructure. The guide defines broad security product categories, specifies product types within those categories, and provides a list of general characteristics and questions an organization can ask when selecting a product. * NIST SP 800-42: Guideline on Network Security Testing Security Testing: (The) Process to determine that an IS (Information System) protects data and maintains functionality as intended. The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorisation, . The guide stresses the need for an effective security testing program within federal agencies. It identifies network testing requirements, discusses how to prioritize pri·or·i·tize v. pri·or·i·tized, pri·or·i·tiz·ing, pri·or·i·tiz·es Usage Problem v.tr. To arrange or deal with in order of importance. v.intr. testing activities with limited resources, and describes several network security testing techniques and tools. Also presented is a framework for incorporating security into the information system development life cycle (SDLC (Synchronous Data Link Control) The primary data link protocol used in IBM's SNA networks. It is a bit-oriented synchronous protocol that is a subset of the HDLC protocol. See SNA, DLC and Microsoft DLC. 1. ) process. The guide seeks to help organizations select and acquire cost-effective security controls by explaining how to include information system security requirements in the SDLC. * NIST SP 800-50: Building an Information Technology Security Awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. and Training Program. The publication provides detailed guidance on designing, developing, implementing, and maintaining a comprehensive awareness and training program as part of an organization's IT security program. It provides guidelines that can help federal agencies meet their security training responsibilities as contained in the Federal Information Security Management Act and Office of Management and Budget The Office of Management and Budget (OMB), formerly the Bureau of the Budget, is an agency of the federal government that evaluates, formulates, and coordinates management procedures and program objectives within and among departments and agencies of the Executive Branch. guidelines. * NIST SP 800-64: Security Considerations in the Information System Development Life Cycle. The guide presents a framework for incorporating security into the information system development life cycle (SDLC) process. It seeks to help organizations select and acquire cost-effective security controls by explaining how to include information system security requirements in the SDLC. The five security guidelines are available for down-load at http://csrc.nist.gov/publications/nistpubs/index.html. CONTACT: Edward Roback, (301) 975-3696; edward.roback@nist.gov. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion