VISA International Security Model

NIST SP 800-18

- The Guide for Developing Security plans for Information Technology Systems can be used as the foundation for a comprehensive security blueprint and framework.

- It provides detailed methods for assessing, and implementing controls and plans for applications of varying size.

- It can serve as a useful guide to the activities and as an aid in the planning process.

- It also includes templates for major application security plans.

- The table of contents for Publication 800-18 is presented in the following.

System Analysis

           System Boundaries

           Multiple similar systems

           System Categories

Plan Development- All Systems

·      Plan control

·      System identification

·      System Operational status

·      System Interconnection/ Information Sharing

·      Sensitivity of information handled

·      Laws, regulations and policies affecting the system

Management Controls

–  Risk Assessment and Management

–  Review of Security Controls

–  Rules of behavior

–  Planning for security in the life cycle

–  Authorization of Processing (Certification and Accreditation)

–  System Security Plan

Operational Controls

1.     Personnel Security

2.     Physical Security

3.     Production, Input/Output Controls

4.     Contingency Planning

5.     Hardware and Systems Software

6.     Data Integrity

7.     Documentation

8.     Security Awareness, Training, and Education

9.     Incident Response Capability

Technical Controls

–  Identification and Authentication

–  Logical Access Controls

–  Audit Trails

1.           NIST SP 800-26: Security Self-Assessment Guide for IT systems

NIST SP 800-26 Table of contents

Management Controls

1.     Risk Management

2.     Review of Security Controls

3.     Life Cycle Maintenance

4.     Authorization of Processing (Certification and Accreditation)

5.     System Security Plan

Operational Controls

ü Personnel Security

ü Physical Security

ü Production, Input/Output Controls

ü Contingency Planning

ü     Hardware and Systems Software

ü     Data Integrity

ü     Documentation

ü     Security Awareness, Training, and Education

ü     Incident Response Capability

Technical Controls

ü     Identification and Authentication

ü     Logical Access Controls

17. Audit Trails

Management controls

ü It address the design and implementation of the security planning process and security program management.

ü They also address risk management and security control reviews. They further describe the necessity and scope of legal compliance and the maintenance of the entire security life cycle.

Operational controls

· It deal with the operational functionality of security in the organization. They include management functions and lower level planning, such as disaster recovery and incident response planning.

· They also address personnel security, physical security, and the protection of production inputs and outputs.

· They guide the development of education, training and awareness programs for users, administrators, and management. Finally, they address hardware and software systems maintenance and the integrity of data.

Technical controls

· It address the tactical and technical issues related to designing and implementing security in the organization, as well as issues related to examining and selecting the technologies appropriate to protecting information.

· They address the specifics of technology selection and the acquisition of certain technical components. They also include logical access controls, such as identification, authentication, authorization, and accountability.

· They cover cryptography to protect information in storage and transit. Finally, they include the classification of assets and users, to facilitate the authorization levels needed.

Using the three sets of controls, the organization should be able to specify controls to cover the entire spectrum of safeguards, from strategic to tactical, and from managerial to technical.