Information Security Standards - NIST SP800 Series
(Page 3 of 4 )
The NIST Special Publications 800 group of documents is the oldest of all the information security standards, having been established in 1990. It consists of over a hundred extensive documents covering almost every aspect of information security. Space constraints prohibit a detailed discussion of all these documents, but an overview of the computer security handbook SP800-12 will provide a good idea of the NIST approach.
SP800-12
The core document of the series, SP800-12, is a handbook that covers the central principles of information security in some detail. It summarizes NIST's approach to the subject, identifying the following eight major guiding elements:
Computer security should support the organization's mission Essentially, security is not a goal in itself: its purpose is to protect an organization's information assets. Security should serve the organization, not the other way around.
Computer security is a central element of sound management As with any other asset belonging to an organization, it is the responsibility of the organization's management-level decision makers to understand the value of their information assets, to determine an acceptable level of risk to them, and implement strategies and controls accordingly.
Computer security should be cost effective Essentially, the cost of implementing security measures should not outweigh the benefits of the exercise.
Computer security responsibilities and accountability should be made explicit This speaks for itself: areas of responsibility for information security should be formally documented and explicitly agreed to in order for there to be accountability. Without this, everyone runs the risk of thinking somebody else is responsible.
System owners have security responsibilities outside their own organizations In other words, those responsible for information security have duties to external users of the system, who should be made explicitly aware of the nature, extent and implications of any security controls that are in place.
Computer security requires a comprehensive and integrated approach Security controls are interdependent with many other parts of an organization. Without adequate recognition of this, security controls can serve to undermine rather than support the organization's efficiency.
Computer security should be periodically reassessed Information technology is a dynamic entity and must be treated accordingly. As systems, vulnerabilities and threats change, so must the security controls used to address them. A static approach to information security is doomed to fail eventually. It is also vital to understand that there is no such thing as a perfect security system. Therefore, every system must evolve in order to improve.
Computer security is constrained by societal factors In other words, issues such as privacy, legislation and social attitudes towards freedom of information all affect the extent and nature of security policies and controls. An organization must account for these considerations in developing its security strategies.
The document - and indeed the rest of the series -- goes on to outline in detail the specific strategies, procedures and controls by which security issues can be addressed in compliance with these principles. More specific in nature and detail, they cover areas such as Guidelines on Electronic Mail Security (SP800-45), Building an Information Technology Security Awareness and Training Program (SP800-50), Electronic Authentication Guidelines (SP800-63) and Guidelines for Secure Web Services (SP800-95) to mention just a few.
Although NIST doesn't itself oversee a certification program, it provides support for a range of initiatives in the areas of awareness, training and education.
