Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

NIST prepping security guides

From: InfoSec News <isn () c4i org>
Date: Mon, 28 Jan 2002 02:58:23 -0600 (CST)
http://www.fcw.com/fcw/articles/2002/0128/web-nist-01-28-02.asp

By Diane Frank 
Jan. 28, 2002

The National Institute of Standards and Technology's security team
will be releasing more than 30 guides over the coming year to help
agencies with many crucial technical and policy security concerns,
officials said last week.

The NIST Computer Security Resource Center released four draft guides
for comment during the past two months, addressing telecommuting
security, information technology contingency plans, securely
connecting IT systems, and using common definitions for security
vulnerabilities. Under the Computer Security Act of 1987, NIST serves
as the primary technical resource for civilian agencies.

But those four guides are only the beginning of what will be a very
busy year for the center and its contractors. In fiscal 2002, they
plan to release almost three times the usual number of guides, said
Tim Grance, manager of the systems and network security group.

These guides, including those listed below, will be grouped into four 
areas: 

* Broad guidance in high-impact areas, such as incident handling, 
  security certification and accreditation, security metrics and 
  determining security return on investment.

* Procurement strategy, including a user guide for understanding the 
  Common Criteria international evaluation scheme and a guide to 
  procuring managed security services.

* Point solutions for technical and policy areas, such as applying 
  security patches, securing public Web servers, smart cards, 
  public-key infrastructure directories, and e-mail security issues 
  and solutions.

* Security of emerging technologies, particularly securing wireless 
  networks.

All of the NIST guides will be released for comment to help fine-tune
them for agency needs, and the center is always looking for assistance
in determining whether it is focusing on the right areas to be of
assistance to agencies, Grance said.

In addition, the center plans to release in March an automated tool to
help agencies perform security self-assessments, based on a guide
released last year in partnership with the federal CIO Council's
Federal IT Security Assessment Framework. In January 2001, the Office
of Management and Budget recommended agencies use the framework and
guide as the basis for the self-assessments required under the
Government Information Security Reform Act.

The center's staff members also will be reviewing existing guides and
standards to ensure consistency with current legislation and policy,
discover if there is any redundancy, and determine the need for
additional guidance beyond what is already planned, said Joan Hash,
director of the center's security, management and guidance group.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: