120 likes | 127 Views
Learn how to standardize and measure IT security with this NIST guide. Assess systems effectively using five levels of criteria and control objectives. Find guidance on blending FISCAM and NIST requirements.
E N D
NIST Special Publication 800-26, “Security Self-Assessment Guide for IT Systems” and Other NIST Resources Marianne Swanson Computer Security Division Information Technology Laboratory NIST
Topics • Self-Assessment Framework & Guidance Document • Other NIST documents & resources
History • CIO Council IT Security Assessment Framework • Government Information Security Reform Act • Federal Information Management Act
Description of Guide • Framework - groundwork for standardizing and measuring IT security • Five levels of effectiveness • Criteria for implementing each level • Assessment Guide - builds on the Framework • Questions directed at the system
Description - continued • Specific control objectives and techniques that a system can be measured against • Blending requirements and guidance from GAO’s FISCAM and NIST guidance documents
NIST Guidance – IT Security Management • Introduction to Computer Security: The NIST Handbook (NIST SP 800-12) • Guide for Developing Security Plans for IT Systems (NIST SP 800-18) • Risk Management Guide (NIST SP 800-30) • Contingency Planning Guide (NIST SP 800-34)
NIST Guidance – IT Security Management (cont.) • Certification and Accreditation Guide (coming soon) • Minimum Security Controls (coming soon) • Security Metrics (coming soon) • http://csrc.nist.gov
ICAT Vulnerability Index • Over 5000 vulnerabilities • Fine grained search engine • Links to vulnerability and patch information http://icat.nist.gov
Federal Agency Security Practices • Three areas on the web site • Agency practices • FAQ • Original BSP pilot submission • Hosted by the Federal Computer Security Program Managers’ Forum • http://csrc.nist.gov/fasp
Agency Practices • No special format submission is required • Send documents as an e-mail attachment • We require title of file and name of agency submitting • Contact information is optional • Files can be generic with no agency identifiers – NIST will do that for the agency if wanted • Need agencies to send what they have – the more the better
FAQ • Questions generated by the Forum over the past three years • Categorized by topic area • Questions answered primarily through the Forum e-mail and additional information provided by NIST • FAQ will be added to as questions occur
Contact Information Marianne Swanson301-975-3293marianne.swanson@nist.gov