1 / 6

NIST Guidance and Standards on System Level Information Security Management

NIST Guidance and Standards on System Level Information Security Management. Relationship to Current and Potential ISO/IEC Standards. Dr. Alicia Clay Deputy Chief - Computer Security Division Information Technology Laboratory National Institute of Standards and technology

tori
Download Presentation

NIST Guidance and Standards on System Level Information Security Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NIST Guidance and Standards on System Level Information Security Management Relationship to Current and Potential ISO/IEC Standards Dr. Alicia Clay Deputy Chief - Computer Security Division Information Technology Laboratory National Institute of Standards and technology United States Department of Commerce

  2. ISMS Standard? ISMS Standard? NIST Mandates • Develop standards to be used by Federal agencies to categorize information and information systems based on the objectives of providing appropriate levels of information security according to impact of loss • Develop minimum information security requirements (management, operational, and technical security controls) for information and information systems in each such category • Develop and periodically revise performance indicators and measures for agency information security policies and practices ISO/IEC 17799

  3. SP 800-30 FIPS 199 SP 800-60 Risk Assessment Categorization of Information and Information System Analyzes the threats to and vulnerabilities of information systems and the potential impact or magnitude of harm that the loss of confidentiality, integrity, or availability would have on an agency’s operations and assets Defines categories of information and information systems according to levels of risk for confidentiality, integrity, and availability; maps information types to security categories 13335-2 Risk Management US FEDERAL GOVERNMENT INFORMATION SYSTEMS SP 800-18 SP 800-37 SP 800-53A Security Planning Verification of Security Control Effectiveness (Certification) Documents the securityrequirements and security controls planned or in place for the protection of information and information systems 13335-1 Security Management SP 800-53 (Interim) SP 800-37 Measures the effectiveness of the security controls associated with information systems through security testing and evaluation FIPS 200 (Final) Security Control Selection and Implementation Security Authorization (Accreditation) 13335-4 Selection of Safeguards Management, operational, and technical controls (i.e., safeguards and countermeasures) planned or in place to protect information and information systems The authorization of information systems to process, store, or transmit information, granted by a senior agency official, based on the effectiveness of security controls and residual risk NIST Information Security Management Information Security Program ISO/IEC 17799 System vs. Organizational Level Minimum Requirements

  4. SP 800-30 FIPS 199 SP 800-60 Risk Assessment Categorization of Information and Information System PLAN Analyzes the threats to and vulnerabilities of information systems and the potential impact or magnitude of harm that the loss of confidentiality, integrity, or availability would have on an agency’s operations and assets PLAN Defines categories of information and information systems according to levels of risk for confidentiality, integrity, and availability; maps information types to security categories US FEDERAL GOVERNMENT INFORMATION SYSTEMS SP 800-18 SP 800-37 SP 800-53A Security Planning PLAN Verification of Security Control Effectiveness (Certification) Documents the securityrequirements and security controls planned or in place for the protection of information and information systems SP 800-53 (Interim) SP 800-37 Measures the effectiveness of the security controls associated with information systems through security testing and evaluation CHECK FIPS 200 (Final) Security Control Selection and Implementation Security Authorization (Accreditation) ACT CHECK DO DO Do - Check Do Management, operational, and technical controls (i.e., safeguards and countermeasures) planned or in place to protect information and information systems The authorization of information systems to process, store, or transmit information, granted by a senior agency official, based on the effectiveness of security controls and residual risk NIST Information Security Management Information Security Program

  5. Development Timeline FIPS Publication 199: “Standards for Security Categorization of Federal Information and Information Systems” http://www.csrc.nist.gov/publications/drafts/draft-fips-pub-199.pdf Final Publication December 2003 SP 800-37: “Guide for the Security Certification and Accreditation of Federal Information Systems” http://www.csrc.nist.gov/publications/drafts/sp800-37-Draftver2.pdf Final Draft December 2003 SP 800-53: “Recommended Security Controls for Federal Information Systems” Initial Public Draft October 2003 SP 800-53A: “Techniques and Procedures for Verifying the Effectiveness of Security Controls in Federal Information Systems” Initial Public Draft Spring 2004 http://www.csrc.nist.gov/publications

  6. Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 Dr. Alicia Clay (301) 975-3641 alicia.clay@nist.gov Project Manager Dr. Ron Ross (301) 975-5390 rross@nist.gov World Wide Web: http://csrc.nist.gov/sec-cert

More Related