SlideShare a Scribd company logo

create your own Security Management Model using the NIST Special Pub.pdf

F
FORTUNE2505

create your own Security Management Model using the NIST Special Publication 800-14 and Evaluate and apply NIST SP 800-26. Solution NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint. It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP 800-12. The more significant points made in NIST SP 800-14 are as follows: 1)Security Supports the Mission of the Organization. 2)Security is an Integral Element of Sound Management. 3)Security Should Be Cost-Effective 4)Systems Owners Have Security Responsibilities Outside Their Own Organizations. 5)Security Responsibilities and Accountability Should Be Made Explicit. 6)Security Requires a Comprehensive and Integrated Approach. 7)Security Should Be Periodically Reassessed. 8)Security is Constrained by Societal Factors. It enumerates 33 principles for Securing Information Technology Systems: Principle 1. Establish a sound security policy as the “foundation” for design. Principle 2. Treat security as an integral part of the overall system design. Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies. Principle 4. Reduce risk to an acceptable level. Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness. Principle 7. Implement layered security (Ensure no single point of vulnerability). Principle 8. Implement tailored system security measures to meet organizational security goals. Principle 9. Strive for simplicity. Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response. Principle 11. Minimize the system elements to be trusted. Principle 12. Implement security through a combination of measures distributed physically and logically. Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Principle 14. Limit or contain vulnerabilities. Principle 15. Formulate security measures to address multiple overlapping information domains. Principle 16. Isolate public access systems from mission critical resources. Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures. Principle 18. Where possible, base security on open standards for portability and interoperability. Principle 19. Use common language in developing security requirements. Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations. Principle 21. Design security to allow for regular adoption of new techno.

Education
1 of 6
Download to read offline
create your own Security Management Model using the NIST Special Publication 800-14 and Evaluate and apply NIST SP 800-26. Solution NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint. It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP 800-12. The more significant points made in NIST SP 800-14 are as follows: 1)Security Supports the Mission of the Organization. 2)Security is an Integral Element of Sound Management. 3)Security Should Be Cost-Effective 4)Systems Owners Have Security Responsibilities Outside Their Own Organizations. 5)Security Responsibilities and Accountability Should Be Made Explicit. 6)Security Requires a Comprehensive and Integrated Approach. 7)Security Should Be Periodically Reassessed. 8)Security is Constrained by Societal Factors. It enumerates 33 principles for Securing Information Technology Systems: Principle 1. Establish a sound security policy as the “foundation” for design. Principle 2. Treat security as an integral part of the overall system design. Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies. Principle 4. Reduce risk to an acceptable level. Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness. Principle 7. Implement layered security (Ensure no single point of vulnerability). Principle 8. Implement tailored system security measures to meet organizational security goals. Principle 9. Strive for simplicity. Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response. Principle 11. Minimize the system elements to be trusted.
Principle 12. Implement security through a combination of measures distributed physically and logically. Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Principle 14. Limit or contain vulnerabilities. Principle 15. Formulate security measures to address multiple overlapping information domains. Principle 16. Isolate public access systems from mission critical resources. Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures. Principle 18. Where possible, base security on open standards for portability and interoperability. Principle 19. Use common language in developing security requirements. Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations. Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process. Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains. Principle 23. Use unique identities to ensure accountability. Principle 24. Implement least privilege. Principle 25. Do not implement unnecessary security mechanisms. Principle 26. Protect information while being processed, in transit, and in storage. Principle 27. Strive for operational ease of use. Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability. Principle 29. Consider custom products to achieve adequate security. Principle 30. Ensure proper security in the shutdown or disposal of a system. Principle 31. Protect against all likely classes of “attacks.” Principle 32. Identify and prevent common errors and vulnerabilities. Principle 33. Ensure that developers are trained in how to develop secure software. NIST Special Publication 800-18 NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint. It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP 800-12.
The more significant points made in NIST SP 800-14 are as follows: 1)Security Supports the Mission of the Organization. 2)Security is an Integral Element of Sound Management. 3)Security Should Be Cost-Effective 4)Systems Owners Have Security Responsibilities Outside Their Own Organizations. 5)Security Responsibilities and Accountability Should Be Made Explicit. 6)Security Requires a Comprehensive and Integrated Approach. 7)Security Should Be Periodically Reassessed. 8)Security is Constrained by Societal Factors. It enumerates 33 principles for Securing Information Technology Systems: Principle 1. Establish a sound security policy as the “foundation” for design. Principle 2. Treat security as an integral part of the overall system design. Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies. Principle 4. Reduce risk to an acceptable level. Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness. Principle 7. Implement layered security (Ensure no single point of vulnerability). Principle 8. Implement tailored system security measures to meet organizational security goals. Principle 9. Strive for simplicity. Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response. Principle 11. Minimize the system elements to be trusted. Principle 12. Implement security through a combination of measures distributed physically and logically. Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Principle 14. Limit or contain vulnerabilities. Principle 15. Formulate security measures to address multiple overlapping information domains. Principle 16. Isolate public access systems from mission critical resources. Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures. Principle 18. Where possible, base security on open standards for portability and interoperability. Principle 19. Use common language in developing security requirements. Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support
incident investigations. Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process. Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains. Principle 23. Use unique identities to ensure accountability. Principle 24. Implement least privilege. Principle 25. Do not implement unnecessary security mechanisms. Principle 26. Protect information while being processed, in transit, and in storage. Principle 27. Strive for operational ease of use. Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability. Principle 29. Consider custom products to achieve adequate security. Principle 30. Ensure proper security in the shutdown or disposal of a system. Principle 31. Protect against all likely classes of “attacks.” Principle 32. Identify and prevent common errors and vulnerabilities. Principle 33. Ensure that developers are trained in how to develop secure software. NIST Special Publication 800-18 NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint. It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP 800-12. The more significant points made in NIST SP 800-14 are as follows: 1)Security Supports the Mission of the Organization. 2)Security is an Integral Element of Sound Management. 3)Security Should Be Cost-Effective 4)Systems Owners Have Security Responsibilities Outside Their Own Organizations. 5)Security Responsibilities and Accountability Should Be Made Explicit. 6)Security Requires a Comprehensive and Integrated Approach. 7)Security Should Be Periodically Reassessed. 8)Security is Constrained by Societal Factors. It enumerates 33 principles for Securing Information Technology Systems: Principle 1. Establish a sound security policy as the “foundation” for design. Principle 2. Treat security as an integral part of the overall system design.
Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies. Principle 4. Reduce risk to an acceptable level. Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness. Principle 7. Implement layered security (Ensure no single point of vulnerability). Principle 8. Implement tailored system security measures to meet organizational security goals. Principle 9. Strive for simplicity. Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response. Principle 11. Minimize the system elements to be trusted. Principle 12. Implement security through a combination of measures distributed physically and logically. Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Principle 14. Limit or contain vulnerabilities. Principle 15. Formulate security measures to address multiple overlapping information domains. Principle 16. Isolate public access systems from mission critical resources. Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures. Principle 18. Where possible, base security on open standards for portability and interoperability. Principle 19. Use common language in developing security requirements. Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations. Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process. Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains. Principle 23. Use unique identities to ensure accountability. Principle 24. Implement least privilege. Principle 25. Do not implement unnecessary security mechanisms. Principle 26. Protect information while being processed, in transit, and in storage. Principle 27. Strive for operational ease of use. Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.
Principle 29. Consider custom products to achieve adequate security. Principle 30. Ensure proper security in the shutdown or disposal of a system. Principle 31. Protect against all likely classes of “attacks.” Principle 32. Identify and prevent common errors and vulnerabilities. Principle 33. Ensure that developers are trained in how to develop secure software. NIST Special Publication 800-26 Management Controls 1. Risk Management 2. Review of Security Controls 3. Life Cycle Maintenance 4. Authorization of Processing (Certification and Accreditation) 5. System Security Plan Operational Controls 6. Personnel Security 7. Physical Security 8. Production, Input/Output Controls 9. Contingency Planning 10. Hardware and Systems Software 11. Data Integrity 12. Documentation 13. Security Awareness, Training, and Education 14. Incident Response Capability Technical Controls 15. Identification and Authentication 16. Logical Access Controls 17. Audit Trails NIST SP 800-26 - Security Self-Assessment Guide for Information Technology Systems describes seventeen areas that span managerial, operational and technical controls. The 17 areas listed are the core of the NIST security management structure. NIST Special Publication 800-30 NIST SP 800-30 - Risk Management Guide for Information Technology Systems provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.

Recommended

Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 sKhaltar Togtuun
 
Security policy and standards
Security policy and standardsSecurity policy and standards
Security policy and standardsWilson Musyoka
 
Ch.5 rq (1)
Ch.5 rq (1)Ch.5 rq (1)
Ch.5 rq (1)anthnydvs
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4MLG College of Learning, Inc
 
Chapter 5
Chapter 5Chapter 5
Chapter 5sivadnolram
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information PolicyMLG College of Learning, Inc
 

Recommended

Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 sKhaltar Togtuun
 
Security policy and standards
Security policy and standardsSecurity policy and standards
Security policy and standardsWilson Musyoka
 
Ch.5 rq (1)
Ch.5 rq (1)Ch.5 rq (1)
Ch.5 rq (1)anthnydvs
 
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4MLG College of Learning, Inc
 
Chapter 5
Chapter 5Chapter 5
Chapter 5sivadnolram
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
Lesson 1
Lesson 1Lesson 1
Lesson 1MLG College of Learning, Inc
 
Lesson 1- Information Policy
Lesson 1- Information PolicyLesson 1- Information Policy
Lesson 1- Information PolicyMLG College of Learning, Inc
 
cyber security ppt.pptx
cyber security ppt.pptxcyber security ppt.pptx
cyber security ppt.pptxlidiyamekonnen
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
 
Ch14-Software Engineering 9
Ch14-Software Engineering 9Ch14-Software Engineering 9
Ch14-Software Engineering 9Ian Sommerville
 
CYBER SECURITY.pptx
CYBER SECURITY.pptxCYBER SECURITY.pptx
CYBER SECURITY.pptxlidiyamekonnen
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centreNaushad Rajani. - CISA, CISSP, CCSP, PMP, DCPP (Privacy)
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docxoswald1horne84988
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1Hamed Moghaddam
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptxGovt. P.G. College Sendhwa, Barwani (M.P.)
 
Enforcing Corporate Security Policies via Computational Intelligence Techniques
Enforcing Corporate Security Policies via Computational Intelligence TechniquesEnforcing Corporate Security Policies via Computational Intelligence Techniques
Enforcing Corporate Security Policies via Computational Intelligence TechniquesJuan J. Merelo
 
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practicesphanleson
 
Lesson 2 - System Specific Policy
Lesson 2 - System Specific PolicyLesson 2 - System Specific Policy
Lesson 2 - System Specific PolicyMLG College of Learning, Inc
 
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docxfelicidaddinwoodie
 
Lesson 2
Lesson 2Lesson 2
Lesson 2MLG College of Learning, Inc
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3MLG College of Learning, Inc
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityElumalai Vasan
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdfLiiewaOfficial
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowPECB
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practiceparves kamal
 
Why would a manager be concerned with bandwidth How is bandwidth me.pdf
Why would a manager be concerned with bandwidth How is bandwidth me.pdfWhy would a manager be concerned with bandwidth How is bandwidth me.pdf
Why would a manager be concerned with bandwidth How is bandwidth me.pdfFORTUNE2505
 
Where would the Internet be today if the UNIX operating system did n.pdf
Where would the Internet be today if the UNIX operating system did n.pdfWhere would the Internet be today if the UNIX operating system did n.pdf
Where would the Internet be today if the UNIX operating system did n.pdfFORTUNE2505
 

More Related Content

Similar to create your own Security Management Model using the NIST Special Pub.pdf

cyber security ppt.pptx
cyber security ppt.pptxcyber security ppt.pptx
cyber security ppt.pptxlidiyamekonnen
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
 
Ch14-Software Engineering 9
Ch14-Software Engineering 9Ch14-Software Engineering 9
Ch14-Software Engineering 9Ian Sommerville
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docxoswald1horne84988
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1Hamed Moghaddam
 
Enforcing Corporate Security Policies via Computational Intelligence Techniques
Enforcing Corporate Security Policies via Computational Intelligence TechniquesEnforcing Corporate Security Policies via Computational Intelligence Techniques
Enforcing Corporate Security Policies via Computational Intelligence TechniquesJuan J. Merelo
 
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practicesphanleson
 
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docxfelicidaddinwoodie
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3MLG College of Learning, Inc
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityElumalai Vasan
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowPECB
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practiceparves kamal
 

Similar to create your own Security Management Model using the NIST Special Pub.pdf (20)

cyber security ppt.pptx
cyber security ppt.pptxcyber security ppt.pptx
cyber security ppt.pptx
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
 
Ch14-Software Engineering 9
Ch14-Software Engineering 9Ch14-Software Engineering 9
Ch14-Software Engineering 9
 
CYBER SECURITY.pptx
CYBER SECURITY.pptxCYBER SECURITY.pptx
CYBER SECURITY.pptx
 
Applying Lean for information security operations centre
Applying Lean for information security operations centreApplying Lean for information security operations centre
Applying Lean for information security operations centre
 
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
· THE INDUSTRY AND THE COMPANY AND ITS PRODUCT(S) OR SERVICE(S)A.docx
 
CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1CISSP Certification- Security Engineering-part1
CISSP Certification- Security Engineering-part1
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
 
Enforcing Corporate Security Policies via Computational Intelligence Techniques
Enforcing Corporate Security Policies via Computational Intelligence TechniquesEnforcing Corporate Security Policies via Computational Intelligence Techniques
Enforcing Corporate Security Policies via Computational Intelligence Techniques
 
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practices
 
Lesson 2 - System Specific Policy
Lesson 2 - System Specific PolicyLesson 2 - System Specific Policy
Lesson 2 - System Specific Policy
 
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
1UNIVERSITY OF MARYLAND UNIVERSITY COLLEGEGRADUATE SCH.docx
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3Information Assurance And Security - Chapter 1 - Lesson 3
Information Assurance And Security - Chapter 1 - Lesson 3
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
ISO/IEC 27001.pdf
ISO/IEC 27001.pdfISO/IEC 27001.pdf
ISO/IEC 27001.pdf
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practice
 

More from FORTUNE2505

Why would a manager be concerned with bandwidth How is bandwidth me.pdf
Why would a manager be concerned with bandwidth How is bandwidth me.pdfWhy would a manager be concerned with bandwidth How is bandwidth me.pdf
Why would a manager be concerned with bandwidth How is bandwidth me.pdfFORTUNE2505
 
Where would the Internet be today if the UNIX operating system did n.pdf
Where would the Internet be today if the UNIX operating system did n.pdfWhere would the Internet be today if the UNIX operating system did n.pdf
Where would the Internet be today if the UNIX operating system did n.pdfFORTUNE2505
 
What do you understand by degrees of Data AbstractionSolution.pdf
What do you understand by degrees of Data AbstractionSolution.pdfWhat do you understand by degrees of Data AbstractionSolution.pdf
What do you understand by degrees of Data AbstractionSolution.pdfFORTUNE2505
 
validity. (The Case lulTTtuT 2. Discuss the Economics of Effective Ma.pdf
validity. (The Case lulTTtuT 2. Discuss the Economics of Effective Ma.pdfvalidity. (The Case lulTTtuT 2. Discuss the Economics of Effective Ma.pdf
validity. (The Case lulTTtuT 2. Discuss the Economics of Effective Ma.pdfFORTUNE2505
 
Twitter had their IPO in 2013. Which of the following is not accurate.pdf
Twitter had their IPO in 2013. Which of the following is not accurate.pdfTwitter had their IPO in 2013. Which of the following is not accurate.pdf
Twitter had their IPO in 2013. Which of the following is not accurate.pdfFORTUNE2505
 
Use C programmingMake sure everything works only upload.pdf
Use C programmingMake sure everything works only upload.pdfUse C programmingMake sure everything works only upload.pdf
Use C programmingMake sure everything works only upload.pdfFORTUNE2505
 
The Adventures of Huckleberry Finn was published twenty years after .pdf
The Adventures of Huckleberry Finn was published twenty years after .pdfThe Adventures of Huckleberry Finn was published twenty years after .pdf
The Adventures of Huckleberry Finn was published twenty years after .pdfFORTUNE2505
 
Step 1 You work for Thunderduck Custom Tables Inc. This is the first.pdf
Step 1 You work for Thunderduck Custom Tables Inc. This is the first.pdfStep 1 You work for Thunderduck Custom Tables Inc. This is the first.pdf
Step 1 You work for Thunderduck Custom Tables Inc. This is the first.pdfFORTUNE2505
 
Researchers argue about whether Oldowan toolmakers were hunters or s.pdf
Researchers argue about whether Oldowan toolmakers were hunters or s.pdfResearchers argue about whether Oldowan toolmakers were hunters or s.pdf
Researchers argue about whether Oldowan toolmakers were hunters or s.pdfFORTUNE2505
 
In Aristotles Poetics he speaks of epics and tragedies. How do.pdf
In Aristotles Poetics he speaks of epics and tragedies. How do.pdfIn Aristotles Poetics he speaks of epics and tragedies. How do.pdf
In Aristotles Poetics he speaks of epics and tragedies. How do.pdfFORTUNE2505
 
Name the type of chemical messenger is released from the axon termina.pdf
Name the type of chemical messenger is released from the axon termina.pdfName the type of chemical messenger is released from the axon termina.pdf
Name the type of chemical messenger is released from the axon termina.pdfFORTUNE2505
 
Marilee Jones, the former dean of admissions of the Massachusetts In.pdf
Marilee Jones, the former dean of admissions of the Massachusetts In.pdfMarilee Jones, the former dean of admissions of the Massachusetts In.pdf
Marilee Jones, the former dean of admissions of the Massachusetts In.pdfFORTUNE2505
 
Know how the complement of mRNAs in a cell can be assayed (in plants.pdf
Know how the complement of mRNAs in a cell can be assayed (in plants.pdfKnow how the complement of mRNAs in a cell can be assayed (in plants.pdf
Know how the complement of mRNAs in a cell can be assayed (in plants.pdfFORTUNE2505
 
In Module 5 the you are here slide indicates we are currently in.pdf
In Module 5 the you are here slide indicates we are currently in.pdfIn Module 5 the you are here slide indicates we are currently in.pdf
In Module 5 the you are here slide indicates we are currently in.pdfFORTUNE2505
 
Identify the role you believe mobile devices have on email investiga.pdf
Identify the role you believe mobile devices have on email investiga.pdfIdentify the role you believe mobile devices have on email investiga.pdf
Identify the role you believe mobile devices have on email investiga.pdfFORTUNE2505
 
I need to implement in c++ this non-List member function void print.pdf
I need to implement in c++ this non-List member function void print.pdfI need to implement in c++ this non-List member function void print.pdf
I need to implement in c++ this non-List member function void print.pdfFORTUNE2505
 
I have another assignment due for an advance java programming class .pdf
I have another assignment due for an advance java programming class .pdfI have another assignment due for an advance java programming class .pdf
I have another assignment due for an advance java programming class .pdfFORTUNE2505
 
4. Real gross domestic prodact A. measures the value of fimal goods a.pdf
4. Real gross domestic prodact A. measures the value of fimal goods a.pdf4. Real gross domestic prodact A. measures the value of fimal goods a.pdf
4. Real gross domestic prodact A. measures the value of fimal goods a.pdfFORTUNE2505
 
Hypothesis What is your hypothesis for the genetic characteristi.pdf
Hypothesis What is your hypothesis for the genetic characteristi.pdfHypothesis What is your hypothesis for the genetic characteristi.pdf
Hypothesis What is your hypothesis for the genetic characteristi.pdfFORTUNE2505
 
How is a process shown in a DFD(data flow diagramSolution Data.pdf
How is a process shown in a DFD(data flow diagramSolution Data.pdfHow is a process shown in a DFD(data flow diagramSolution Data.pdf
How is a process shown in a DFD(data flow diagramSolution Data.pdfFORTUNE2505
 

More from FORTUNE2505 (20)

Why would a manager be concerned with bandwidth How is bandwidth me.pdf
Why would a manager be concerned with bandwidth How is bandwidth me.pdfWhy would a manager be concerned with bandwidth How is bandwidth me.pdf
Why would a manager be concerned with bandwidth How is bandwidth me.pdf
 
Where would the Internet be today if the UNIX operating system did n.pdf
Where would the Internet be today if the UNIX operating system did n.pdfWhere would the Internet be today if the UNIX operating system did n.pdf
Where would the Internet be today if the UNIX operating system did n.pdf
 
What do you understand by degrees of Data AbstractionSolution.pdf
What do you understand by degrees of Data AbstractionSolution.pdfWhat do you understand by degrees of Data AbstractionSolution.pdf
What do you understand by degrees of Data AbstractionSolution.pdf
 
validity. (The Case lulTTtuT 2. Discuss the Economics of Effective Ma.pdf
validity. (The Case lulTTtuT 2. Discuss the Economics of Effective Ma.pdfvalidity. (The Case lulTTtuT 2. Discuss the Economics of Effective Ma.pdf
validity. (The Case lulTTtuT 2. Discuss the Economics of Effective Ma.pdf
 
Twitter had their IPO in 2013. Which of the following is not accurate.pdf
Twitter had their IPO in 2013. Which of the following is not accurate.pdfTwitter had their IPO in 2013. Which of the following is not accurate.pdf
Twitter had their IPO in 2013. Which of the following is not accurate.pdf
 
Use C programmingMake sure everything works only upload.pdf
Use C programmingMake sure everything works only upload.pdfUse C programmingMake sure everything works only upload.pdf
Use C programmingMake sure everything works only upload.pdf
 
The Adventures of Huckleberry Finn was published twenty years after .pdf
The Adventures of Huckleberry Finn was published twenty years after .pdfThe Adventures of Huckleberry Finn was published twenty years after .pdf
The Adventures of Huckleberry Finn was published twenty years after .pdf
 
Step 1 You work for Thunderduck Custom Tables Inc. This is the first.pdf
Step 1 You work for Thunderduck Custom Tables Inc. This is the first.pdfStep 1 You work for Thunderduck Custom Tables Inc. This is the first.pdf
Step 1 You work for Thunderduck Custom Tables Inc. This is the first.pdf
 
Researchers argue about whether Oldowan toolmakers were hunters or s.pdf
Researchers argue about whether Oldowan toolmakers were hunters or s.pdfResearchers argue about whether Oldowan toolmakers were hunters or s.pdf
Researchers argue about whether Oldowan toolmakers were hunters or s.pdf
 
In Aristotles Poetics he speaks of epics and tragedies. How do.pdf
In Aristotles Poetics he speaks of epics and tragedies. How do.pdfIn Aristotles Poetics he speaks of epics and tragedies. How do.pdf
In Aristotles Poetics he speaks of epics and tragedies. How do.pdf
 
Name the type of chemical messenger is released from the axon termina.pdf
Name the type of chemical messenger is released from the axon termina.pdfName the type of chemical messenger is released from the axon termina.pdf
Name the type of chemical messenger is released from the axon termina.pdf
 
Marilee Jones, the former dean of admissions of the Massachusetts In.pdf
Marilee Jones, the former dean of admissions of the Massachusetts In.pdfMarilee Jones, the former dean of admissions of the Massachusetts In.pdf
Marilee Jones, the former dean of admissions of the Massachusetts In.pdf
 
Know how the complement of mRNAs in a cell can be assayed (in plants.pdf
Know how the complement of mRNAs in a cell can be assayed (in plants.pdfKnow how the complement of mRNAs in a cell can be assayed (in plants.pdf
Know how the complement of mRNAs in a cell can be assayed (in plants.pdf
 
In Module 5 the you are here slide indicates we are currently in.pdf
In Module 5 the you are here slide indicates we are currently in.pdfIn Module 5 the you are here slide indicates we are currently in.pdf
In Module 5 the you are here slide indicates we are currently in.pdf
 
Identify the role you believe mobile devices have on email investiga.pdf
Identify the role you believe mobile devices have on email investiga.pdfIdentify the role you believe mobile devices have on email investiga.pdf
Identify the role you believe mobile devices have on email investiga.pdf
 
I need to implement in c++ this non-List member function void print.pdf
I need to implement in c++ this non-List member function void print.pdfI need to implement in c++ this non-List member function void print.pdf
I need to implement in c++ this non-List member function void print.pdf
 
I have another assignment due for an advance java programming class .pdf
I have another assignment due for an advance java programming class .pdfI have another assignment due for an advance java programming class .pdf
I have another assignment due for an advance java programming class .pdf
 
4. Real gross domestic prodact A. measures the value of fimal goods a.pdf
4. Real gross domestic prodact A. measures the value of fimal goods a.pdf4. Real gross domestic prodact A. measures the value of fimal goods a.pdf
4. Real gross domestic prodact A. measures the value of fimal goods a.pdf
 
Hypothesis What is your hypothesis for the genetic characteristi.pdf
Hypothesis What is your hypothesis for the genetic characteristi.pdfHypothesis What is your hypothesis for the genetic characteristi.pdf
Hypothesis What is your hypothesis for the genetic characteristi.pdf
 
How is a process shown in a DFD(data flow diagramSolution Data.pdf
How is a process shown in a DFD(data flow diagramSolution Data.pdfHow is a process shown in a DFD(data flow diagramSolution Data.pdf
How is a process shown in a DFD(data flow diagramSolution Data.pdf
 

Recently uploaded

Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 

Recently uploaded (20)

INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 

create your own Security Management Model using the NIST Special Pub.pdf

  • 1. create your own Security Management Model using the NIST Special Publication 800-14 and Evaluate and apply NIST SP 800-26. Solution NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint. It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP 800-12. The more significant points made in NIST SP 800-14 are as follows: 1)Security Supports the Mission of the Organization. 2)Security is an Integral Element of Sound Management. 3)Security Should Be Cost-Effective 4)Systems Owners Have Security Responsibilities Outside Their Own Organizations. 5)Security Responsibilities and Accountability Should Be Made Explicit. 6)Security Requires a Comprehensive and Integrated Approach. 7)Security Should Be Periodically Reassessed. 8)Security is Constrained by Societal Factors. It enumerates 33 principles for Securing Information Technology Systems: Principle 1. Establish a sound security policy as the “foundation” for design. Principle 2. Treat security as an integral part of the overall system design. Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies. Principle 4. Reduce risk to an acceptable level. Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness. Principle 7. Implement layered security (Ensure no single point of vulnerability). Principle 8. Implement tailored system security measures to meet organizational security goals. Principle 9. Strive for simplicity. Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response. Principle 11. Minimize the system elements to be trusted.
  • 2. Principle 12. Implement security through a combination of measures distributed physically and logically. Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Principle 14. Limit or contain vulnerabilities. Principle 15. Formulate security measures to address multiple overlapping information domains. Principle 16. Isolate public access systems from mission critical resources. Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures. Principle 18. Where possible, base security on open standards for portability and interoperability. Principle 19. Use common language in developing security requirements. Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations. Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process. Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains. Principle 23. Use unique identities to ensure accountability. Principle 24. Implement least privilege. Principle 25. Do not implement unnecessary security mechanisms. Principle 26. Protect information while being processed, in transit, and in storage. Principle 27. Strive for operational ease of use. Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability. Principle 29. Consider custom products to achieve adequate security. Principle 30. Ensure proper security in the shutdown or disposal of a system. Principle 31. Protect against all likely classes of “attacks.” Principle 32. Identify and prevent common errors and vulnerabilities. Principle 33. Ensure that developers are trained in how to develop secure software. NIST Special Publication 800-18 NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint. It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP 800-12.
  • 3. The more significant points made in NIST SP 800-14 are as follows: 1)Security Supports the Mission of the Organization. 2)Security is an Integral Element of Sound Management. 3)Security Should Be Cost-Effective 4)Systems Owners Have Security Responsibilities Outside Their Own Organizations. 5)Security Responsibilities and Accountability Should Be Made Explicit. 6)Security Requires a Comprehensive and Integrated Approach. 7)Security Should Be Periodically Reassessed. 8)Security is Constrained by Societal Factors. It enumerates 33 principles for Securing Information Technology Systems: Principle 1. Establish a sound security policy as the “foundation” for design. Principle 2. Treat security as an integral part of the overall system design. Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies. Principle 4. Reduce risk to an acceptable level. Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness. Principle 7. Implement layered security (Ensure no single point of vulnerability). Principle 8. Implement tailored system security measures to meet organizational security goals. Principle 9. Strive for simplicity. Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response. Principle 11. Minimize the system elements to be trusted. Principle 12. Implement security through a combination of measures distributed physically and logically. Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Principle 14. Limit or contain vulnerabilities. Principle 15. Formulate security measures to address multiple overlapping information domains. Principle 16. Isolate public access systems from mission critical resources. Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures. Principle 18. Where possible, base security on open standards for portability and interoperability. Principle 19. Use common language in developing security requirements. Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support
  • 4. incident investigations. Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process. Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains. Principle 23. Use unique identities to ensure accountability. Principle 24. Implement least privilege. Principle 25. Do not implement unnecessary security mechanisms. Principle 26. Protect information while being processed, in transit, and in storage. Principle 27. Strive for operational ease of use. Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability. Principle 29. Consider custom products to achieve adequate security. Principle 30. Ensure proper security in the shutdown or disposal of a system. Principle 31. Protect against all likely classes of “attacks.” Principle 32. Identify and prevent common errors and vulnerabilities. Principle 33. Ensure that developers are trained in how to develop secure software. NIST Special Publication 800-18 NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint. It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP 800-12. The more significant points made in NIST SP 800-14 are as follows: 1)Security Supports the Mission of the Organization. 2)Security is an Integral Element of Sound Management. 3)Security Should Be Cost-Effective 4)Systems Owners Have Security Responsibilities Outside Their Own Organizations. 5)Security Responsibilities and Accountability Should Be Made Explicit. 6)Security Requires a Comprehensive and Integrated Approach. 7)Security Should Be Periodically Reassessed. 8)Security is Constrained by Societal Factors. It enumerates 33 principles for Securing Information Technology Systems: Principle 1. Establish a sound security policy as the “foundation” for design. Principle 2. Treat security as an integral part of the overall system design.
  • 5. Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies. Principle 4. Reduce risk to an acceptable level. Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness. Principle 7. Implement layered security (Ensure no single point of vulnerability). Principle 8. Implement tailored system security measures to meet organizational security goals. Principle 9. Strive for simplicity. Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response. Principle 11. Minimize the system elements to be trusted. Principle 12. Implement security through a combination of measures distributed physically and logically. Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Principle 14. Limit or contain vulnerabilities. Principle 15. Formulate security measures to address multiple overlapping information domains. Principle 16. Isolate public access systems from mission critical resources. Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures. Principle 18. Where possible, base security on open standards for portability and interoperability. Principle 19. Use common language in developing security requirements. Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations. Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process. Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains. Principle 23. Use unique identities to ensure accountability. Principle 24. Implement least privilege. Principle 25. Do not implement unnecessary security mechanisms. Principle 26. Protect information while being processed, in transit, and in storage. Principle 27. Strive for operational ease of use. Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.
  • 6. Principle 29. Consider custom products to achieve adequate security. Principle 30. Ensure proper security in the shutdown or disposal of a system. Principle 31. Protect against all likely classes of “attacks.” Principle 32. Identify and prevent common errors and vulnerabilities. Principle 33. Ensure that developers are trained in how to develop secure software. NIST Special Publication 800-26 Management Controls 1. Risk Management 2. Review of Security Controls 3. Life Cycle Maintenance 4. Authorization of Processing (Certification and Accreditation) 5. System Security Plan Operational Controls 6. Personnel Security 7. Physical Security 8. Production, Input/Output Controls 9. Contingency Planning 10. Hardware and Systems Software 11. Data Integrity 12. Documentation 13. Security Awareness, Training, and Education 14. Incident Response Capability Technical Controls 15. Identification and Authentication 16. Logical Access Controls 17. Audit Trails NIST SP 800-26 - Security Self-Assessment Guide for Information Technology Systems describes seventeen areas that span managerial, operational and technical controls. The 17 areas listed are the core of the NIST security management structure. NIST Special Publication 800-30 NIST SP 800-30 - Risk Management Guide for Information Technology Systems provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks.