NIST SECURITY MODELS
ü This refers to “The National Security Telecommunications and Information systems Security Committee” document. This document presents a comprehensive model for information security. The model consists of three dimensions.
ü Another possible approach available is described in the many documents available from the Computer Security Resource Center of the National Institute for Standards and Technology (csrc.nist.gov).
ü The following NIST documents can assist in the design of a security framework:
– NIST SP 800-12 : An Introduction to Computer Security: The NIST Handbook
– NIST SP 800-14 : Generally Accepted Security Principles and Practices for Securing IT Systems
– NIST SP 800-18 : The Guide for Developing Security Plans for IT Systems
– NIST SP 800-26: Security Self-Assessment Guide for IT systems.
– NIST SP 800-30: Risk Management for IT systems.
ü NIST Special Publication SP 800-12
- SP 800-12 is an excellent reference and guide for the security manager or administrator in the routine management of information security.
- It provides little guidance, however, on design and implementation of new security systems, and therefore should be used only as a valuable precursor to understanding an information security blueprint.
ü NIST Special Publication SP 800-14
Generally accepted Principles and practices for Security Information Technology Systems.
- Provides best practices and security principles that can direct the security team in the development of Security Blue Print.
- The scope of NIST SP 800-14 is broad. It is important to consider each of the security principles it presents, and therefore the following sections examine some of the more significant points in more detail:
– Security Supports the Mission of the Organization
– Security is an Integral Element of Sound Management
– Security Should Be Cost-Effective
– Systems Owners Have Security Responsibilities Outside Their Own Organizations
– Security Responsibilities and Accountability Should Be Made Explicit
– Security Requires a Comprehensive and Integrated Approach
– Security Should Be Periodically Reassessed
– Security is Constrained by Societal Factors
– 33 Principles enumerated