December 29, 2012 at 23:43NIST SP 800: Information Security Library
I want to introduce the users of the site, directly or indirectly, to information security issues, with a wonderful methodological resource that was practically not mentioned on Habré: “NIST Special Publications 800 Series” . NIST - National Institute of Standards and Technology - American National Institute of Standardization, an analogue of the domestic GosStandart. It includes a competent and significant center for computer security center in the USA - CSRC, bringing together specialists from federal services, universities, major US IT companies. Since the beginning of the 1990s, the Center has been publishing Standards (FIPS) and more detailed explanations / recommendations (Special Publications) in the field of information security. The Recommendations (Special Publications) created by CSRC are assigned the code 800. I propose to talk about them in more detail.
Three working groups have been created in CSRC, which distribute all the center’s activities in major areas:
- information security management;
- technical issues of ensuring information security;
- cryptographic information security.
Each group has dozens of publications. Due to the fact that cryptography is a rather specific area, recommendations in this area deserve a separate article, and below I will give an overview of the most interesting and popular documents of the first two groups.
Many documents are regularly reviewed - the year of release of the latest version is indicated in parentheses (this explains the non-compliance with the order of the numbers of the documents themselves). The bold letters indicate the documents most often found / cited in other materials on information security in links.
Information security management
This section contains the "gentleman's set", perhaps, of any stack of standards / recommendations for information security management, but let me remind you that the status of the CSRC makes them actually highly recommended for use in all US gos.uchrezhdeniyah, and this is no small item about IT.
(2003) | Creating an IT Security Awareness Program |
| Areas of responsibility of participants in the process, preparation of material, possible problems at the stage of program implementation, control / audit process, examples | |
(2006) | Testing IT Security Plans |
| Politics, areas of responsibility, methodology, examples of documents, private methods: “desktop” test, simulations, testing in a real environment | |
(2006) | Information security briefly for guidance |
| The process of ensuring IS in the organization, the life cycle of IT systems, the security of the interaction of IT systems, training / raising awareness of employees in the field of information security, risk management in the field of information security, assessment, certification, control, continuity and incident management | |
(2008) | Classification of information and information systems according to security requirements methodology classifier |
| Assignment methodology and classifier (recommended values) of the levels of influence of violation of confidentiality, integrity and availability, depending on the type (purpose) of information being processed | |
(2008) | Technical issues of assessing the level of IS |
| Assessment methods, self-assessment, internal audit, external audit, pentest, process organization, assessment, analysis of results, use of results in the process of improving the organization’s information security | |
(2009) | Password management |
| Existing threats when using password authentication, ensuring the security of the password base storage, social engineering attacks. | |
(2010) | IS risk management in federal information systems |
| A detailed methodology for managing IS risks, roles and areas of responsibility of process participants, description of related documents | |
(2010) | Continuity Planning in Federal Information Systems |
| Interconnection of various levels of ensuring continuity, assessing the impact of various types of incidents on a service, selecting strategies, developing and testing plans, basic technologies for ensuring the continuity of information systems and services | |
(2011) | Information Security Monitoring in Federal Information Systems |
| Possible levels of security monitoring: organization as a whole / business processes / IT systems, development of a monitoring strategy, determination of metrics, analysis of incoming data, use of results in the process of improving the organization’s information security | |
(2012) | Information Security Incident Management |
| Planning the process, creating a response team and regulations for its functioning, detecting incidents, prioritizing, choosing a response strategy, reducing damage, restoring systems, ensuring the interaction of performers in the response to the incident | |
(2012) | Security Update Management |
| Issues and problems of the update management process, technologies for keeping the software up to date, process metrics | |
Technical Issues for Ensuring Information Security
Next in a shorter format are the most interesting technical publications of CSRC. I will not argue that among the CSRC documents there are also openly obsolete ones (I tried to exclude them from the list). However, in general, according to many experts, NIST IT is one of the most dynamic standardization institutions in the field of IT / IS. They try to issue recommendations almost immediately on the fact of significant trends in the emergence of new or redistribution of old threats in the field of information security (the most “tasty”, respectively, probably at the very bottom).
I hope that in this variety everyone will find a couple of documents for a leisurely reading in the after-holidays!