The NIST Special Publications for Security Management By

The NIST Special Publications for Security Management By: Waylon Coulter

The NIST Publications l l l SP 800 -12: An Introduction to Computer Security: The NIST Handbook SP 800 -14: Generally Accepted Security Principles and Practices SP 800 -18: Guide for Developing Security Plans SP 800 -26: Security Self-Assessment Guide for IT Systems SP 800 -30: Risk Management Guide for IT Systems

Reasons for Using NIST Documents Publicly available at no charge. l Have been broadly reviewed by government and industry professionals l Help develop a security framework for the organization l

SP 800 -12: Computer Security Handbook Extremely good reference for routine management l Little guidance supplied for designing and implementing of new systems l Supplement to help gain a good solid understanding of security terminology and the background l

Information Found in SP 800 -12 • Draws upon the OECD’s guidelines for the Security of Information Systems l l l Accountability Awareness Ethics Multidisciplinary Proportionality l l Timeliness Reassessment Democracy Integration

Controls l The NIST SP 800 -12 lays out philosophy on security management by organizing controls into three categories 1. 2. 3. l Management Controls Operational Controls Technical Controls There are 17 controls in these categories and are discussed in the SP 800 -26

Management Controls Address security topics that can be categorized as managerial l Techniques and concerns that are addressed by management in the organization l Focus on management of risk and the computer security program l

Technical Controls Focus on controls that the computer executes l Controls depend on the proper functioning of systems l Always require significant operational considerations l Should be consistent with management of security in the organization l

SP 800 -14 Generally Accepted Principles and Practices for Securing IT Systems Describes best practices and information on commonly accepted information security principles that can be used to develop a security blue print l Describes principles that should be integrated into the information security process l

Significant Points Made in the SP 800 -14 l Security Supports the Mission of the Organization l l l The implementation of information security is not independent of the organization’s mission … it is driven by it. The information security program MUST support and further the organization’s mission Security Is an Integral Element of Sound Management. l Security supports the planning function when information security policies provide input into organization initiatives, and supports the controlling functions enforce both managerial and security policies.

Significant Points Continued… l Security Should Be Cost-Effective. l l The costs of information security should be considered part of the cost of doing business. Information security should justify its own costs Security measures whose costs outweigh their benefits should be rationalized. Systems Owners Have Security Responsibilities Outside Their Own Organizations l When systems use data from clients, customers, partners, and others, the security of the data is a huge security responsibility

Significant Points Continued… l Security Responsibilities and Accountability Should Be Made Explicit l l Security Requires Comprehensive and Integrated Approach l l Security is everyone’s responsibility Security should Be Periodically Reassessed l l l Policy documents should clearly identify the security responsibility of users, administrators, and managers. Security is an ongoing process To remain effective, the security process must be periodically repeated Security is Constrained by Societal Factors l Legal demands, shareholder requirements, and even business practices affect the implementation of security controls.

Principles for Securing IT Systems l l l Establish a sound security policy as the “foundation” for the design. Treat security as an integral part of the overall system design. Clearly delineate the physical and logical security boundaries governed by associated security policies. Reduce risk to an acceptable level. Assume that external systems are insecure. Identify potential trade-offs between reducing risk and increased costs and decreases in other aspects of operational effectiveness.

More Principles… l l l Implement layered security (ensure no single point of vulnerability). Implement tailored system security measures to meet organizational security goals. Strive for simplicity. Design and operate an IT system to limit vulnerability and to be resilient in response. Minimize the system elements to be trusted. Implement security through a combination of measures distributed physically and logically.

More Principles… l l l Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Limit or contain vulnerabilities. Formulate security measures to address multiple overlapping information domains. Isolate public access systems from missioncritical resources (e. g. data processes). Use boundary mechanisms to separate computing systems and network infrastructures.

More Principles… l l l Where possible, base security on open standards for portability and interoperability. Use a common language in developing security requirements. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations. Design security to allow for regular adoption of new technologies, including a secure and logical technology upgrade process. Authenticate users and processes to ensure appropriate access control decisions both within and across domains

More Principles l l l Use unique identities to ensure accountability. Implement least privilege, which is the process of granting the lowest level of access consistent with accomplishing the assigned role. Do not implement unnecessary security mechanisms. Protect information while being processed, in transit, and in storage. Strive for operational ease of use. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.

More Principles… l l l Consider custom products to achieve adequate security. Ensure proper security in the shutdown or disposal of a system. Protect against all likely classes of “attacks”. Identify and prevent common errors and vulnerabilities. Ensure that developers are trained in how to develop secure software.

SP 800 -18: Guide for Developing Security Plans for IT Systems Details methods for assessing, designing, and implementing controls and plans for various-sized applications l Provides templates for major application security plans l SP 800 -18 must be customized to fit the particular needs of any organization l

SP 800 -26: Security Self. Assessment Guide for IT Systems Describes 17 areas that span the three different types of controls l Form the core of the NIST security management structure. l

Management Controls Risk Management l Review of Security Controls l Life Cycle Maintenance l Authorization of Processing (Certification and Accreditation) l System Security Plan l

Operational Controls l l l l l Personnel Security Physical Security Production, Input/Output Controls Contingency Planning Hardware and Systems Software Data Integrity Documentation Security Awareness, Training, and Education Incident Response Capacity

Technical Controls Identification and Authentication l Logical Access Controls l Audit Trails l

SP 800 -30: Risk Management Guide for IT Systems Provides foundation for development of an effective risk management program. l The ultimate goal is to help organizations better manage IT-related mission risk. l The guide helps to develop and evaluate the risk management process. l

References l l l National Institute of Standards and Technology Special Publication 800 -12, An Introduction to Computer Security: The NIST Handbook, October 1995. National Institute of Standards and Technology Special Publication 800 -14, Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996. National Institute of Standards and Technology Special Publication 800 -18, Guide for Developing Security Plans for Federal Information Systems, February 2006. National Institute of Standards and Technology Special Publication 800 -26, Security Self-Assessment Guide for Information Technology Systems, November 2001. National Institute of Standards and Technology Special Publication 800 -30, Risk Management Guide for Information Technology Systems, July 2002.