Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Checklists for IT Products

Published byPrimrose Terry Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Checklists for IT Products"— Presentation transcript:

1 Security Checklists for IT Products

2 Agenda Overview of Checklist Program
Discussion of Operational Procedures Current Status Next Steps

3 Cyber Security Research and Development Act of 2002
Directs NIST to: Develop, and revise as necessary, a checklist setting forth settings and option selections that minimize the security risks associated with each computer hardware or software system that is, or is likely to become widely used within the Federal Government.

4 In Response… NIST is developing a method for IT vendors, consortia, industry, government organizations, and others in the public and private sectors to voluntarily submit checklists in a standardized format to be placed in a public web accessible database maintained by NIST NIST is Creating a checklist development and description framework Hosting a checklist web site for checklist users Facilitating user demand for checklists Becoming an ambassador to vendors for checklists

5 What is a Checklist? Often called lockdown guides, benchmark configurations, hardening guides, other terms In simple terms, a document or list of procedures to secure a system or application Checklists are implementation guides used to provide security controls to the information system Could include scripts, add-on templates, or executables

6 Why Checklists Most products are insecure out of the box
Most users need assistance in configuring security controls due to complexity of the technology Demand for easy-to-understand checklists for improving security Demand for checklists tailored to different environments, such as home, small office, enterprise, or higher security Checklists can have a large impact on security with relatively small upfront investment

7 Goals of the Checklist Program
To significantly improve out of the box security To be a portal for checklists in general To encourage primarily vendors to submit and support their checklists To encourage vendors to develop checklists as part of their products To leverage existing checklist development work

8 NIST Checklist Process
Producer NIST Consumer Producer NIST Submit the Checklist Review and Post as a Candidate Provide Feedback and comments Respond to Comments and Maintain Review and Post the Checklist Timeframe Goal = 2 Weeks

9 NIST Checklist Template
An XML template used to describe a checklist Fields include: IT product name Environment (high security, enterprise, SOHO) How the checklist was tested Revision dates Cataloged in the web-searchable database A user searches the fields of the templates to locate appropriate checklists

10 Security Checklists for Commercial IT Products
About Checklists Search the Security Checklist Database Under the Cyber Security Research and Development Act, NIST is charged with developing security checklists. These checklists describe security settings for commercial IT products. Security Environment Security environments are SOHO, Enterprise, High Security, or Custom. Checklists can also be associated with the security as contained in FIPS 199. Partners The checklists provided on this website are provided by a wide variety of vendors, government agencies, consortia, non-profit organizations, and user organizations. For a complete list, click here. NIST gratefully acknowledges their contributions and assistance in providing this security service. Disclaimer The contents of each checklist is the responsibility of the submitting organization. We encourage users to send comments on specific checklists to the appropriate author. Search By specific product name Microsoft Windows 2000 By security environment High Security By product type Operating System Results (list of checklists) NIST Windows 2000 Special Publication NSA Windows 2000 Security Guide DISA Windows 2000 Security Configuration Guide CIS Windows 2000 Guide – Level 2

11 Checklist Categories Under review - out for public review
Final – completed review, issues addressed Supported – support for the checklist available, e.g., from the submitter Non-supported – no support available General – non-product specific, applies to a technology or a class of products

12 Participation Requirements
Create a checklist and submit the XML template Agree to respond checklist-related to questions/comments – must provide a POC For certain checklists, agree to update the checklist on timely basis or else withdraw the checklist Agree to test the checklist and describe how the checklist was tested

13 Reviewing Checklists For all checklists, NIST will review for format, readability, general quality, requirements NIST will perform a limited technical review in cases where it has expertise in the technology NIST will post candidate checklists for public review Comments will be provided to the submitter Issues will be addressed by the submitter before final posting of the checklist

14 Current Status Workshop completed 9/03, enthusiastic response from attendees Workshop final report 2nd Qtr, FY04 Drafting internal procedures, 2nd Qtr, FY04 Checklist Special Pub 1st draft ready for public review 2nd Qtr, FY04 Comments accepted for 30 days

15 Status Continued Workshop for common checklist formats with configuration vendors 3rd Qtr, FY04 Final release of Checklist Special Pub, 3rd Qtr, FY04 DISA STIG checklists mapped to checklist framework, 3rd, 4th Qtr, FY04 Windows XP checklists 4th Qtr, FY04 Commitment for some vendors to participate

16 Next Steps for FY05, FY06 Continue working on common checklist formats
Encourage vendors to support checklists on products as released Encourage other agencies, consortia, and forums to submit checklists Continue posting checklists and operating checklist web site

17 Contact Information Tim Grance Murugiah Souppaya John Wack NIST

18 Acknowledgements NIST gratefully acknowledges support for the checklist program from the Department of Homeland Security NIST also recognizes important contributions from civilian and DoD agencies, vendors, and organizations

Download ppt "Security Checklists for IT Products"

Similar presentations

How Will it Help Me Do My Job?

How Will it Help Me Do My Job?
National Database Templates for the Biosafety Clearing-House Application (NDT-nBCH) Overview of the US nBCH Applications.

National Database Templates for the Biosafety Clearing-House Application (NDT-nBCH) Overview of the US nBCH Applications.
State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.

State of Indiana Business One Stop (BOS) Program Roadmap Updated June 6, 2013 RFI ATTACHMENT D.
Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.

Federal Desktop Core Configuration and the Security Content Automation Protocol Peter Mell, National Vulnerability Database National Institute of Standards.
EuroCRIS Best Practices & Solutions Members Helping Members Move Forward.

EuroCRIS Best Practices & Solutions Members Helping Members Move Forward.
October 3, 20031 Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.

October 3, Partnerships for VoIP Security VoIP Protection Profiles David Smith Co-Chair, DoD VoIP Information Assurance Working Group NSA Information.
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
Tom Sheridan IT Director Gas Technology Institute (GTI)

Tom Sheridan IT Director Gas Technology Institute (GTI)
NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.

NSA/DISA/NIST Security Content Automation Program Vulnerability Compliance & Measurement Stephen Quinn & Peter Mell Computer Security Division NIST.
Cloud Computing Guide & Handbook SAI USA Madhav Panwar.

Cloud Computing Guide & Handbook SAI USA Madhav Panwar.
Government of Canada Enterprise Licensing Agreement Framework Public Sector Chief Information Officer Council September 18, 2014 Benoît Long Senior Assistant.

Government of Canada Enterprise Licensing Agreement Framework Public Sector Chief Information Officer Council September 18, 2014 Benoît Long Senior Assistant.
Tutorial Introduction Fidelity NTSConnect is an innovative Web-based software solution designed for use by customers of Fidelity National Title Insurance.

Tutorial Introduction Fidelity NTSConnect is an innovative Web-based software solution designed for use by customers of Fidelity National Title Insurance.
NetHope Confidential. Unauthorized reproduction or use prohibited. NetHope CLOUD SERVICES PORTAL OVERVIEW TECHNOLOGY PROVIDER LAUNCH January 15, 2013.

NetHope Confidential. Unauthorized reproduction or use prohibited. NetHope CLOUD SERVICES PORTAL OVERVIEW TECHNOLOGY PROVIDER LAUNCH January 15, 2013.
Advance and the Electronic Packet Advance and the Electronic Packet April 5, 2011 1.

Advance and the Electronic Packet Advance and the Electronic Packet April 5,
SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.

SWIS Digital Inspections Project (SWIS DIP) Chris Allen, Information Management Branch California Integrated Waste Management Board November 5, 2008 The.
9/11/2015 1 SUPPORT THE WARFIGHTER DoD CIO 1 Sample Template Community of Interest (COI) Steering Committee Kick-off Date: POC: V1.0.

9/11/ SUPPORT THE WARFIGHTER DoD CIO 1 Sample Template Community of Interest (COI) Steering Committee Kick-off Date: POC: V1.0.
ADC Meeting 2007-09-12 ICEO Standards Working Group Steven F. Browdy, Co-Chair ADC Workshop Washington, D.C. September, 2007.

ADC Meeting ICEO Standards Working Group Steven F. Browdy, Co-Chair ADC Workshop Washington, D.C. September, 2007.
What is SMEcollaborate Primarily developed for Small and Medium Companies who wish to collaborate together. It is a:- A resource center for collaborating.

What is SMEcollaborate Primarily developed for Small and Medium Companies who wish to collaborate together. It is a:- A resource center for collaborating.
TECHNICAL DOCUMENTATIONPARTNERS DOWNLOAD DATA Download water quality data in MS Excel, CSV, TSV, and KML formats. Learn how to use the portal and data.

TECHNICAL DOCUMENTATIONPARTNERS DOWNLOAD DATA Download water quality data in MS Excel, CSV, TSV, and KML formats. Learn how to use the portal and data.
TECHNOLOGY SOLUTIONS FOR GOVERNMENT AND EDUCATION 1 Senate Bill 20: DIR Implementation VENDOR WEBINAR| AUGUST 25, 2015 Texas Department of Information.

TECHNOLOGY SOLUTIONS FOR GOVERNMENT AND EDUCATION 1 Senate Bill 20: DIR Implementation VENDOR WEBINAR| AUGUST 25, 2015 Texas Department of Information.

Similar presentations

Ads by Google