NIST SP 800-18
- The Guide
for Developing Security plans for Information Technology Systems can be used as
the foundation for a comprehensive security blueprint and framework.
- It
provides detailed methods for assessing, and implementing controls and plans
for applications of varying size.
- It can
serve as a useful guide to the activities and as an aid in the planning
process.
- It also
includes templates for major application security plans.
- The table
of contents for Publication 800-18 is presented in the following.
System Analysis
System Boundaries
Multiple similar systems
System Categories
Plan Development- All Systems
· Plan
control
· System
identification
· System
Operational status
· System
Interconnection/ Information Sharing
· Sensitivity
of information handled
· Laws,
regulations and policies affecting the system
Management Controls
– Risk Assessment and Management
– Review of Security Controls
– Rules of behavior
– Planning for security in the life cycle
– Authorization of Processing (Certification
and Accreditation)
– System Security Plan
Operational Controls
1. Personnel
Security
2. Physical
Security
3. Production,
Input/Output Controls
4. Contingency
Planning
5. Hardware
and Systems Software
6. Data
Integrity
7. Documentation
8. Security
Awareness, Training, and Education
9. Incident
Response Capability
Technical Controls
– Identification and Authentication
– Logical Access Controls
– Audit Trails
1.
NIST SP
800-26: Security Self-Assessment Guide for IT systems
NIST SP 800-26 Table of contents
Management Controls
1. Risk
Management
2. Review of
Security Controls
3. Life
Cycle Maintenance
4. Authorization
of Processing (Certification and Accreditation)
5. System
Security Plan
Operational Controls
ü Personnel
Security
ü Physical
Security
ü Production,
Input/Output Controls
ü Contingency
Planning
ü Hardware
and Systems Software
ü Data
Integrity
ü Documentation
ü Security
Awareness, Training, and Education
ü Incident
Response Capability
Technical Controls
ü Identification
and Authentication
ü Logical
Access Controls
17. Audit
Trails
Management controls
ü It
address the design and implementation of the security planning process and
security program management.
ü They also
address risk management and security control reviews. They further describe the
necessity and scope of legal compliance and the maintenance of the entire
security life cycle.
Operational controls
· It deal
with the operational functionality of security in the organization. They
include management functions and lower level planning, such as disaster
recovery and incident response planning.
· They also
address personnel security, physical security, and the protection of production
inputs and outputs.
· They
guide the development of education, training and awareness programs for users,
administrators, and management. Finally, they address hardware and software
systems maintenance and the integrity of data.
Technical controls
· It
address the tactical and technical issues related to designing and implementing
security in the organization, as well as issues related to examining and
selecting the technologies appropriate to protecting information.
· They
address the specifics of technology selection and the acquisition of certain
technical components. They also include logical access controls, such as
identification, authentication, authorization, and accountability.
· They cover cryptography to protect information in storage and transit. Finally, they include the classification of assets and users, to facilitate the authorization levels needed.
Using the three sets of controls, the organization should be able to specify controls to cover the entire spectrum of safeguards, from strategic to tactical, and from managerial to technical.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.