Guide for Applying the Risk Management Framework to Federal Information Systems

[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[Risk Management]
[NIST]

Guide for Applying the Risk Management Framework to Federal Information Systems
NIST 800-37

Introduction

Organizations depend on information technology and the information systems that are developed from that technology to successfully carry out their missions and business functions. Information systems can include as constituent components, a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems). Federal information and information systems are subject to serious threats that can have adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information and information systems include environmental disruptions, human or machine errors, and purposeful attacks. Cyber attacks on information systems today are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated. Successful attacks on public and private sector information systems can result in serious or grave damage to the national and economic security interests of the United States. Given the significant and growing danger of these threats, it is imperative that leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks.


The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

A Framework for Assessing and Improving Enterprise Architecture Management (Version 2.0)

[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[Software Architecture]
[Enterprise Architecture]


A Framework for Assessing and Improving Enterprise Architecture Management (Version 2.0)
GAO-10-846G

Why GAO did this study

Effective use of an enterprise architecture (EA) is a hallmark of successful organizations and an essential means to achieving a desired end: having operations and technology environments that maximize institutional mission performance and outcomes. Among other things, this includes realizing cost savings through consolidation and reuse of shared services and elimination of antiquated and redundant mission operations, enhancing information sharing through data standardization and system integration, and optimizing service delivery through streamlining and normalization of business processes and mission operations. Not using an EA can result in organizational operations and supporting technology infrastructures and systems that are duplicative, poorly integrated, unnecessarily costly to maintain and interface, and unable to respond quickly to shifting environmental factors.

To assist organizations in successfully developing, maintaining, and using an EA, GAO is issuing this major update to its Enterprise Architecture Management Maturity Framework. Its purpose is to provide a flexible benchmark against which to plan for and measure EA program maturity. To develop the update, GAO solicited comments from 27 federal departments and agencies, as well as representatives from the private sector, state governments, and academia, and it leveraged its prior experience in applying the framework.

The full document is available through the following link:
http://www.gao.gov/assets/80/77233.pdf

NIST Standards on How to Secure Operating Systems

[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[OS Security]
[NIST]


NIST Standards on How to Secure Operating Systems
NIST 800-70 v2

National Checklist Program Repository (NCP)

A full featured guide tool with checklists and security benchmarks for all operating systems and devices (from mainframes to mobile devices). It is based on the NIST 800-70 v2 standard. A must have reference source for the security professional.

The link for the National Checklist Program Repository is:
http://web.nvd.nist.gov/view/ncp/repository

Recommended Security Controls for Federal Information Systems and Organizations

[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[NIST]


Recommended Security Controls for Federal Information Systems and Organizations
NIST 800-53 v3

Introduction

The Need For Security Controls to Protect Information and Information Systems

The selection and implementation of appropriate security controls for an information system4 or a system-of-systems5 are important tasks that can have major implications on
the operations6 and assets of an organization7 as well as the welfare of individuals and the
Nation. Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information. There are several important questions that should be answered by organizational officials when addressing the security considerations for their information systems:

- What security controls are needed to adequately mitigate the risk incurred by the use of information and information systems in the execution of organizational missions and business functions?

- Have the selected security controls been implemented or is there a realistic plan for their implementation?

- What is the desired or required level of assurance (i.e., grounds for confidence) that the selected security controls, as implemented, are effective8 in their application?

The answers to these questions are not given in isolation but rather in the context of an effective information security program for the organization that identifies, mitigates as deemed necessary, and monitors on an ongoing basis, risks9 arising from its information and information systems. The security controls defined in this publication and recommended for use by organizations in protecting their information systems should be employed in conjunction with and as part of a well-defined and documented information security program. The program management controls (Appendix G), complement the security controls for an information system (Appendix F) by focusing on the organization-wide information security requirements that are independent of any particular information system and are essential for managing information security programs.


The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

Computer Securitye Incident Handling Guide

[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[Incident Handling]
[NIST]


Computer Security Incident Handling Guide
NIST 800-61 v2

Abstract

Computer security incident response has become an important component of information technology (IT) programs. Because performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and resources. This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively. This publication provides guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident. The guidelines can be followed independently of particular hardware platforms, operating systems, protocols, or applications.

The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[NIST]
[PII]


Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
NIST 800-122

Executive Summary

The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years.1 Breaches involving PII are hazardous to both individuals and organizations. Individual harms2 may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or remediation costs. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy3 once stated, ―If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.‖ This document provides guidelines for a risk-based approach to protecting the confidentiality4 of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies,5 but other organizations may find portions of the publication useful. Each organization may be subject to a different combination of laws, regulations, and other mandates related to protecting PII, so an organization‘s legal counsel and privacy officer should be consulted to determine the current obligations for PII protection. For example, the Office of Management and Budget (OMB) has issued several memoranda with requirements for how Federal agencies must handle and protect PII. To effectively protect PII, organizations should implement the following recommendations.

The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf

Information Security Handbook: A Guide for Managers

[External Reference]
[Computer Systems Security]
[Standards]
[Security Management]
[NIST]


Information Security Handbook: A Guide for Managers
NIST 800-100

Introduction

This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security, including the Clinger-Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-130. The material in this handbook can be referenced for general information on a particular topic or can be used in the decision-making process for developing an information security program. National Institute of Standards and Technology (NISTIR) Interagency Report 7298 provides a summary glossary for the basic security terms used throughout this document. While reading this handbook, please consider that the guidance is not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business requirements.

 The full document is available through the following link:
http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf