Presentation is loading. Please wait.

Presentation is loading. Please wait.

The NIST Special Publications for Security Management By: Waylon Coulter.

Published byBrendan Gibbs Modified over 8 years ago

Similar presentations

Presentation on theme: "The NIST Special Publications for Security Management By: Waylon Coulter."— Presentation transcript:

1 The NIST Special Publications for Security Management By: Waylon Coulter

2 The NIST Publications SP 800-12: An Introduction to Computer Security: The NIST Handbook SP 800-12: An Introduction to Computer Security: The NIST Handbook SP 800-14: Generally Accepted Security Principles and Practices SP 800-14: Generally Accepted Security Principles and Practices SP 800-18: Guide for Developing Security Plans SP 800-18: Guide for Developing Security Plans SP 800-26: Security Self-Assessment Guide for IT Systems SP 800-26: Security Self-Assessment Guide for IT Systems SP 800-30: Risk Management Guide for IT Systems SP 800-30: Risk Management Guide for IT Systems

3 Reasons for Using NIST Documents Publicly available at no charge. Publicly available at no charge. Have been broadly reviewed by government and industry professionals Have been broadly reviewed by government and industry professionals Help develop a security framework for the organization Help develop a security framework for the organization

4 SP 800-12: Computer Security Handbook Extremely good reference for routine management Extremely good reference for routine management Little guidance supplied for designing and implementing of new systems Little guidance supplied for designing and implementing of new systems Supplement to help gain a good solid understanding of security terminology and the background Supplement to help gain a good solid understanding of security terminology and the background

5 Information Found in SP 800-12 Accountability Accountability Awareness Awareness Ethics Ethics Multidisciplinary Multidisciplinary Proportionality Proportionality Timeliness Timeliness Reassessment Reassessment Democracy Democracy Integration Integration Draws upon the OECD’s guidelines for the Security of Information SystemsDraws upon the OECD’s guidelines for the Security of Information Systems

6

7

8 Controls The NIST SP 800-12 lays out philosophy on security management by organizing controls into three categories The NIST SP 800-12 lays out philosophy on security management by organizing controls into three categories 1. Management Controls 2. Operational Controls 3. Technical Controls There are 17 controls in these categories and are discussed in the SP 800-26 There are 17 controls in these categories and are discussed in the SP 800-26

9 Management Controls Address security topics that can be categorized as managerial Address security topics that can be categorized as managerial Techniques and concerns that are addressed by management in the organization Techniques and concerns that are addressed by management in the organization Focus on management of risk and the computer security program Focus on management of risk and the computer security program

10 Technical Controls Focus on controls that the computer executes Focus on controls that the computer executes Controls depend on the proper functioning of systems Controls depend on the proper functioning of systems Always require significant operational considerations Always require significant operational considerations Should be consistent with management of security in the organization Should be consistent with management of security in the organization

11 SP 800-14 Generally Accepted Principles and Practices for Securing IT Systems Describes best practices and information on commonly accepted information security principles that can be used to develop a security blue print Describes best practices and information on commonly accepted information security principles that can be used to develop a security blue print Describes principles that should be integrated into the information security process Describes principles that should be integrated into the information security process

12 Significant Points Made in the SP 800-14 Security Supports the Mission of the Organization Security Supports the Mission of the Organization The implementation of information security is not independent of the organization’s mission … it is driven by it. The implementation of information security is not independent of the organization’s mission … it is driven by it. The information security program MUST support and further the organization’s mission The information security program MUST support and further the organization’s mission Security Is an Integral Element of Sound Management. Security Is an Integral Element of Sound Management. Security supports the planning function when information security policies provide input into organization initiatives, and supports the controlling functions enforce both managerial and security policies. Security supports the planning function when information security policies provide input into organization initiatives, and supports the controlling functions enforce both managerial and security policies.

13 Significant Points Continued… Security Should Be Cost-Effective. Security Should Be Cost-Effective. The costs of information security should be considered part of the cost of doing business. The costs of information security should be considered part of the cost of doing business. Information security should justify its own costs Information security should justify its own costs Security measures whose costs outweigh their benefits should be rationalized. Security measures whose costs outweigh their benefits should be rationalized. Systems Owners Have Security Responsibilities Outside Their Own Organizations Systems Owners Have Security Responsibilities Outside Their Own Organizations When systems use data from clients, customers, partners, and others, the security of the data is a huge security responsibility When systems use data from clients, customers, partners, and others, the security of the data is a huge security responsibility

14 Significant Points Continued… Security Responsibilities and Accountability Should Be Made Explicit Security Responsibilities and Accountability Should Be Made Explicit Policy documents should clearly identify the security responsibility of users, administrators, and managers. Policy documents should clearly identify the security responsibility of users, administrators, and managers. Security Requires Comprehensive and Integrated Approach Security Requires Comprehensive and Integrated Approach Security is everyone’s responsibility Security is everyone’s responsibility Security should Be Periodically Reassessed Security should Be Periodically Reassessed Security is an ongoing process Security is an ongoing process To remain effective, the security process must be periodically repeated To remain effective, the security process must be periodically repeated Security is Constrained by Societal Factors Security is Constrained by Societal Factors Legal demands, shareholder requirements, and even business practices affect the implementation of security controls. Legal demands, shareholder requirements, and even business practices affect the implementation of security controls.

15 Principles for Securing IT Systems Establish a sound security policy as the “foundation” for the design. Establish a sound security policy as the “foundation” for the design. Treat security as an integral part of the overall system design. Treat security as an integral part of the overall system design. Clearly delineate the physical and logical security boundaries governed by associated security policies. Clearly delineate the physical and logical security boundaries governed by associated security policies. Reduce risk to an acceptable level. Reduce risk to an acceptable level. Assume that external systems are insecure. Assume that external systems are insecure. Identify potential trade-offs between reducing risk and increased costs and decreases in other aspects of operational effectiveness. Identify potential trade-offs between reducing risk and increased costs and decreases in other aspects of operational effectiveness.

16 More Principles… Implement layered security (ensure no single point of vulnerability). Implement layered security (ensure no single point of vulnerability). Implement tailored system security measures to meet organizational security goals. Implement tailored system security measures to meet organizational security goals. Strive for simplicity. Strive for simplicity. Design and operate an IT system to limit vulnerability and to be resilient in response. Design and operate an IT system to limit vulnerability and to be resilient in response. Minimize the system elements to be trusted. Minimize the system elements to be trusted. Implement security through a combination of measures distributed physically and logically. Implement security through a combination of measures distributed physically and logically.

17 More Principles… Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Limit or contain vulnerabilities. Limit or contain vulnerabilities. Formulate security measures to address multiple overlapping information domains. Formulate security measures to address multiple overlapping information domains. Isolate public access systems from mission- critical resources (e.g. data processes). Isolate public access systems from mission- critical resources (e.g. data processes). Use boundary mechanisms to separate computing systems and network infrastructures. Use boundary mechanisms to separate computing systems and network infrastructures.

18 More Principles… Where possible, base security on open standards for portability and interoperability. Where possible, base security on open standards for portability and interoperability. Use a common language in developing security requirements. Use a common language in developing security requirements. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations. Design security to allow for regular adoption of new technologies, including a secure and logical technology upgrade process. Design security to allow for regular adoption of new technologies, including a secure and logical technology upgrade process. Authenticate users and processes to ensure appropriate access control decisions both within and across domains Authenticate users and processes to ensure appropriate access control decisions both within and across domains

19 More Principles Use unique identities to ensure accountability. Use unique identities to ensure accountability. Implement least privilege, which is the process of granting the lowest level of access consistent with accomplishing the assigned role. Implement least privilege, which is the process of granting the lowest level of access consistent with accomplishing the assigned role. Do not implement unnecessary security mechanisms. Do not implement unnecessary security mechanisms. Protect information while being processed, in transit, and in storage. Protect information while being processed, in transit, and in storage. Strive for operational ease of use. Strive for operational ease of use. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.

20 More Principles… Consider custom products to achieve adequate security. Consider custom products to achieve adequate security. Ensure proper security in the shutdown or disposal of a system. Ensure proper security in the shutdown or disposal of a system. Protect against all likely classes of “attacks”. Protect against all likely classes of “attacks”. Identify and prevent common errors and vulnerabilities. Identify and prevent common errors and vulnerabilities. Ensure that developers are trained in how to develop secure software. Ensure that developers are trained in how to develop secure software.

21 SP 800-18: Guide for Developing Security Plans for IT Systems Details methods for assessing, designing, and implementing controls and plans for various-sized applications Details methods for assessing, designing, and implementing controls and plans for various-sized applications Provides templates for major application security plans Provides templates for major application security plans SP 800-18 must be customized to fit the particular needs of any organization SP 800-18 must be customized to fit the particular needs of any organization

22 SP 800-26: Security Self- Assessment Guide for IT Systems Describes 17 areas that span the three different types of controls Describes 17 areas that span the three different types of controls Form the core of the NIST security management structure. Form the core of the NIST security management structure.

23 Management Controls Risk Management Risk Management Review of Security Controls Review of Security Controls Life Cycle Maintenance Life Cycle Maintenance Authorization of Processing (Certification and Accreditation) Authorization of Processing (Certification and Accreditation) System Security Plan System Security Plan

24 Operational Controls Personnel Security Personnel Security Physical Security Physical Security Production, Input/Output Controls Production, Input/Output Controls Contingency Planning Contingency Planning Hardware and Systems Software Hardware and Systems Software Data Integrity Data Integrity Documentation Documentation Security Awareness, Training, and Education Security Awareness, Training, and Education Incident Response Capacity Incident Response Capacity

25 Technical Controls Identification and Authentication Identification and Authentication Logical Access Controls Logical Access Controls Audit Trails Audit Trails

26 SP 800-30: Risk Management Guide for IT Systems Provides foundation for development of an effective risk management program. Provides foundation for development of an effective risk management program. The ultimate goal is to help organizations better manage IT-related mission risk. The ultimate goal is to help organizations better manage IT-related mission risk. The guide helps to develop and evaluate the risk management process. The guide helps to develop and evaluate the risk management process.

27 References National Institute of Standards and Technology Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995. National Institute of Standards and Technology Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook, October 1995. National Institute of Standards and Technology Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996. National Institute of Standards and Technology Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996. National Institute of Standards and Technology Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems, February 2006. National Institute of Standards and Technology Special Publication 800-18, Guide for Developing Security Plans for Federal Information Systems, February 2006. National Institute of Standards and Technology Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001. National Institute of Standards and Technology Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001. National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002. National Institute of Standards and Technology Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002.

Download ppt "The NIST Special Publications for Security Management By: Waylon Coulter."

Similar presentations

Software Quality Assurance Plan

Software Quality Assurance Plan
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
SL21 Information Security Board Mission, Goals and Guiding Principles.

SL21 Information Security Board Mission, Goals and Guiding Principles.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Management of Information Security Chapter 06 Security Management Models And Practices Security can only be achieved through constant change, through.

Management of Information Security Chapter 06 Security Management Models And Practices Security can only be achieved through constant change, through.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Purpose of the Standards

Purpose of the Standards
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Presentation on Integrating Management Systems www.imsrisksolutions.co.uk.

Presentation on Integrating Management Systems
Introduction to Network Defense

Introduction to Network Defense
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)

Similar presentations

Ads by Google