1 / 12

IT Security Self-Assessment Guide: Framework & Criteria

Learn how to standardize and measure IT security with this NIST guide. Assess systems effectively using five levels of criteria and control objectives. Find guidance on blending FISCAM and NIST requirements.

rrosner
Download Presentation

IT Security Self-Assessment Guide: Framework & Criteria

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NIST Special Publication 800-26, “Security Self-Assessment Guide for IT Systems” and Other NIST Resources Marianne Swanson Computer Security Division Information Technology Laboratory NIST

  2. Topics • Self-Assessment Framework & Guidance Document • Other NIST documents & resources

  3. History • CIO Council IT Security Assessment Framework • Government Information Security Reform Act • Federal Information Management Act

  4. Description of Guide • Framework - groundwork for standardizing and measuring IT security • Five levels of effectiveness • Criteria for implementing each level • Assessment Guide - builds on the Framework • Questions directed at the system

  5. Description - continued • Specific control objectives and techniques that a system can be measured against • Blending requirements and guidance from GAO’s FISCAM and NIST guidance documents

  6. NIST Guidance – IT Security Management • Introduction to Computer Security: The NIST Handbook (NIST SP 800-12) • Guide for Developing Security Plans for IT Systems (NIST SP 800-18) • Risk Management Guide (NIST SP 800-30) • Contingency Planning Guide (NIST SP 800-34)

  7. NIST Guidance – IT Security Management (cont.) • Certification and Accreditation Guide (coming soon) • Minimum Security Controls (coming soon) • Security Metrics (coming soon) • http://csrc.nist.gov

  8. ICAT Vulnerability Index • Over 5000 vulnerabilities • Fine grained search engine • Links to vulnerability and patch information http://icat.nist.gov

  9. Federal Agency Security Practices • Three areas on the web site • Agency practices • FAQ • Original BSP pilot submission • Hosted by the Federal Computer Security Program Managers’ Forum • http://csrc.nist.gov/fasp

  10. Agency Practices • No special format submission is required • Send documents as an e-mail attachment • We require title of file and name of agency submitting • Contact information is optional • Files can be generic with no agency identifiers – NIST will do that for the agency if wanted • Need agencies to send what they have – the more the better

  11. FAQ • Questions generated by the Forum over the past three years • Categorized by topic area • Questions answered primarily through the Forum e-mail and additional information provided by NIST • FAQ will be added to as questions occur

  12. Contact Information Marianne Swanson301-975-3293marianne.swanson@nist.gov

More Related