The US NIST* has just released a draft of Special Publication 800-12, ‘An introduction to information security,’ authored by Michael Nieles, Kelley Dempsey and Victoria Yan Pillitteri. The 97 page document targets ‘those new to the information security principles and tenets needed to protect information and systems in a way that is commensurate with risk.’ SP 800-12 provides ‘tips and techniques described [that can be] applied to any type of information or system in any type of organization.’ The basic principles of information security apply to government, academia and industry and SP 800-12 provides a backgrounder in information security basics as well as a high-level view of the topic.
Central to the approach is the NIST Risk management framework (RMF), that promotes the concept of near real-time risk management and ongoing system authorization through the implementation of ‘robust continuous monitoring processes.’ The RMF also ‘provides senior leaders the necessary information to make cost-effective, risk-based decisions on the organizational systems supporting their core missions and business functions, and integrates information security into the enterprise architecture and system development life cycle.’
The RMF is a six-step program that addresses security categorization, control selection, implementation and assessment, system authorization and ongoing monitoring. A rigorous, if somewhat academic, approach is advocated in the development of both commercial off-the-shelf products and customized systems. The draft advocates the use of ‘trusted system architectures. These are realized through best practice software engineering techniques including security design and development reviews, formal modeling, mathematical proofs, ISO 9000 quality techniques, ISO 1599 15288 systems engineering standards and architecture concepts such as a ‘trusted computing base’ or reference monitor.
Security needs to be assessed to establish a level of confidence that the security meets requirements. Here NIST recommends the use of the Common criteria portal in procurement of IT products with security functionality.
* National institute of standards and technology of the US department of commerce.
© Oil IT Journal - all rights reserved.