Showing posts with label NIST. Show all posts
Showing posts with label NIST. Show all posts
Guide for Applying the Risk Management Framework to Federal Information Systems
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[Risk Management]
[NIST]
Guide for Applying the Risk Management Framework to Federal Information Systems
NIST 800-37
Introduction
Organizations depend on information technology and the information systems that are developed from that technology to successfully carry out their missions and business functions. Information systems can include as constituent components, a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems). Federal information and information systems are subject to serious threats that can have adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information and information systems include environmental disruptions, human or machine errors, and purposeful attacks. Cyber attacks on information systems today are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated. Successful attacks on public and private sector information systems can result in serious or grave damage to the national and economic security interests of the United States. Given the significant and growing danger of these threats, it is imperative that leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf
CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS
[External Reference]
[Computer Systems Security]
[Standards]
[Cloud Computing]
[NIST]
CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS
NIST 800-146
Executive Summary
Cloud computing allows computer users to conveniently rent access to fully featured applications, to software development and deployment environments, and to computing infrastructure assets such as network-accessible data storage and processing.
This document reprises the NIST-established definition of cloud computing, describes cloud computing benefits and open issues, presents an overview of major classes of cloud technology, and provides guidelines and recommendations on how organizations should consider the relative opportunities and risks of cloud computing. Cloud computing has been the subject of a great deal of commentary. Attempts to describe cloud computing in general terms, however, have been problematic because cloud computing is not a single kind of system, but instead spans a spectrum of underlying technologies, configuration possibilities, service models, and deployment models. This document describes cloud systems and discusses their strengths and weaknesses.
Depending on an organization's requirements, different technologies and configurations are appropriate. To understand which part of the spectrum of cloud systems is most appropriate for a given need, an organization should consider how clouds can be deployed (deployment models), what kinds of services can be provided to customers (service models), the economic opportunities and risks of using cloud services (economic considerations), the technical characteristics of cloud services such as performance and reliability (operational characteristics), typical terms of service (service level agreements), and the security opportunities and risks (security).
The full document is available through the following link:
http://www.thecre.com/fisma/wp-content/uploads/2012/05/sp800-146.pdf
NIST Standards on How to Secure Operating Systems
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[OS Security]
[NIST]
NIST Standards on How to Secure Operating Systems
NIST 800-70 v2
National Checklist Program Repository (NCP)
A full featured guide tool with checklists and security benchmarks for all operating systems and devices (from mainframes to mobile devices). It is based on the NIST 800-70 v2 standard. A must have reference source for the security professional.
The link for the National Checklist Program Repository is:
http://web.nvd.nist.gov/view/ncp/repository
Recommended Security Controls for Federal Information Systems and Organizations
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[NIST]
Recommended Security Controls for Federal Information Systems and Organizations
NIST 800-53 v3
Introduction
The Need For Security Controls to Protect Information and Information Systems
The selection and implementation of appropriate security controls for an information system4 or a system-of-systems5 are important tasks that can have major implications on
the operations6 and assets of an organization7 as well as the welfare of individuals and the
Nation. Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems:
- What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?
- Have the selected security controls been implemented or is there a realistic plan for their implementation?
- What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective8 in their application?
The answers to these questions are not given in isolation but rather in the context of an effective information security program for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks9 arising from its information and information systems. The security controls defined in this publication and recommended for use by organizations in protecting their information systems should be employed in conjunction with and as part of a well-defined and documented information security program. The program management controls (Appendix G), complement the security controls for an information system (Appendix F) by focusing on the organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf
Computer Securitye Incident Handling Guide
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[Incident Handling]
[NIST]
Computer Security Incident Handling Guide
NIST 800-61 v2
Abstract
Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[NIST]
[PII]
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
NIST 800-122
Executive Summary
The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years.1 Breaches involving PII are hazardous to both individuals and organizations. Individual harms2 may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or remediation costs. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy3 once stated, ―If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.‖ This document provides guidelines for a risk-based approach to protecting the confidentiality4 of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies,5 but other organizations may find portions of the publication useful. Each organization may be subject to a different combination of laws, regulations, and other mandates related to protecting PII, so an organization‘s legal counsel and privacy officer should be consulted to determine the current obligations for PII protection. For example, the Office of Management and Budget (OMB) has issued several memoranda with requirements for how Federal agencies must handle and protect PII. To effectively protect PII, organizations should implement the following recommendations.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf
An Introduction to Computer Security: The NIST Handbook
[External Reference]
[Computer Systems Security]
[Standards]
[NIST]
An Introduction to Computer Security: The NIST Handbook
NIST 800-12
Purpose
This handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.
The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps necessary to implement a computer security program,
provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. General references are provided at the end of this chapter, and references of "how-to" books and articles are provided at the end of each chapter in Parts II, III and IV.
The purpose of this handbook is not to specify requirements but, rather, to discuss the benefits of various computer security controls and situations in which their application may be appropriate. Some requirements for federal systems2 are noted in the text. This document provides advice and guidance; no penalties are stipulated.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
[Computer Systems Security]
[Standards]
[NIST]
An Introduction to Computer Security: The NIST Handbook
NIST 800-12
Purpose
This handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.
The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps necessary to implement a computer security program,
provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. General references are provided at the end of this chapter, and references of "how-to" books and articles are provided at the end of each chapter in Parts II, III and IV.
The purpose of this handbook is not to specify requirements but, rather, to discuss the benefits of various computer security controls and situations in which their application may be appropriate. Some requirements for federal systems2 are noted in the text. This document provides advice and guidance; no penalties are stipulated.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
Information Security Handbook: A Guide for Managers
[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[NIST]
Information Security Handbook: A Guide for Managers
NIST 800-100
Introduction
This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security, including the Clinger-Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-130. The material in this handbook can be referenced for general information on a particular topic or can be used in the decision-making process for developing an information security program. National Institute of Standards and Technology (NISTIR) Interagency Report 7298 provides a summary glossary for the basic security terms used throughout this document. While reading this handbook, please consider that the guidance is not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business requirements.
The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
Trusted Computer Systems Evaluation Criteria
[External Reference]
[Computer Systems Security]
[Standards]
[NIST]
Department of Defense
Trusted Computer Systems Evaluation Criteria
DoD 5200.28-STD
Preface
The trusted computer system evaluation criteria defined in this document classify systems into four broad hierarchical divisions of enhanced security protection. They provide a basis for the evaluation of effectiveness of security controls built into automatic data processing system products. The criteria were developed with three objectives in mind: (a) to provide users with a yardstick with which to assess the degree of trust that can be placed in computer systems for the secure processing of classified or other sensitive information; (b) to provide guidance to manufacturers as to what to build into their new, widely-available trusted commercial products in order to satisfy trust requirements for sensitive applications; and (c) to provide a basis for specifying security requirements in acquisition specifications. Two types of requirements are delineated for secure processing: (a) specific security feature requirements and (b) assurance requirements. Some of the latter requirements enable evaluation personnel to determine if the required features are present and functioning as intended. The scope of these criteria is to be applied to the set of components comprising a trusted system, and is not necessarily to be applied to each system component individually. Hence, some components of a system may be completely untrusted, while others may be individually evaluated to a lower or higher evaluation class than the trusted product considered as a whole system. In trusted products at the high end of the range, the strength of the reference monitor is such that most of the components can be completely untrusted. Though the criteria are intended to be application-independent, the specific security feature requirements may have to be interpreted when applying the criteria to specific systems with their own functional requirements, applications or special environments (e.g., communications processors, process control computers, and embedded systems in general). The underlying assurance requirements can be applied across the entire spectrum of ADP system or application processing environments without special interpretation.
The full document is available through the following link:
http://csrc.nist.gov/publications/history/dod85.pdf
[Computer Systems Security]
[Standards]
[NIST]
Department of Defense
Trusted Computer Systems Evaluation Criteria
DoD 5200.28-STD
Preface
The trusted computer system evaluation criteria defined in this document classify systems into four broad hierarchical divisions of enhanced security protection. They provide a basis for the evaluation of effectiveness of security controls built into automatic data processing system products. The criteria were developed with three objectives in mind: (a) to provide users with a yardstick with which to assess the degree of trust that can be placed in computer systems for the secure processing of classified or other sensitive information; (b) to provide guidance to manufacturers as to what to build into their new, widely-available trusted commercial products in order to satisfy trust requirements for sensitive applications; and (c) to provide a basis for specifying security requirements in acquisition specifications. Two types of requirements are delineated for secure processing: (a) specific security feature requirements and (b) assurance requirements. Some of the latter requirements enable evaluation personnel to determine if the required features are present and functioning as intended. The scope of these criteria is to be applied to the set of components comprising a trusted system, and is not necessarily to be applied to each system component individually. Hence, some components of a system may be completely untrusted, while others may be individually evaluated to a lower or higher evaluation class than the trusted product considered as a whole system. In trusted products at the high end of the range, the strength of the reference monitor is such that most of the components can be completely untrusted. Though the criteria are intended to be application-independent, the specific security feature requirements may have to be interpreted when applying the criteria to specific systems with their own functional requirements, applications or special environments (e.g., communications processors, process control computers, and embedded systems in general). The underlying assurance requirements can be applied across the entire spectrum of ADP system or application processing environments without special interpretation.
The full document is available through the following link:
http://csrc.nist.gov/publications/history/dod85.pdf
Subscribe to:
Posts (Atom)