The document provides guidance on implementing a National Institute of Standards and Technology (NIST) framework for local governments. It discusses key elements of establishing a successful certification and accreditation (C&A) program, including developing a business case, setting goals and milestones, providing oversight, maintaining visibility, allocating resources, developing guidance documents, integrating the program, establishing points of contact, measuring progress, and tracking activities and compliance. The overall guidance emphasizes project management best practices for planning and implementing an effective C&A program based on NIST standards.
6. Question
How do you explain to someone
who does not understand firewalls
that your organization has done
everything it should to protect your
organization?
How do you demonstrate due
diligence in IT?
7. Solution
The only way to show you have done
everything you should, to someone
who does not understand the technical
aspects, is to show you follow an
industry standard.
The only way to show due diligence is
to use an industry standard.
An industry standard properly vetted
by professionals or authorities
8. Following a standard
Actions and needs are
explainable and defendable
Help when you need to fight for
resources
In accounting you have GAAP
In IT you have NIST
9. NIST
There is no compulsory IT standard required for local
governments.
The National Institute of Standards andTechnology
(NIST) encourages state, local and tribal governments to
consider the use of these guidelines, as appropriate.
In adopting NIST standards the local government
demonstrates due diligence.
"State, local, and tribal governments, as well as private sector organizations are
encouraged to consider using these guidelines, as appropriate."
- NIST SP 800-37 Rev 1 pg 11
11. Other Standards
Yes there are other standards
PCI
ISO 27002 (ISO 17799)
COBIT
Etc..
If ever a local government is required to follow a standard
it would be NIST
NIST is recommend by DOJ for local police
NIST is a Government friendly standard
12. PCI & NIST
PCI has a narrow focus (just card holder data)
NIST has a broad focus (all of IT)
If you focus on PCI only you may sacrifice in other areas
If you implement a standard like NIST you are 90% there
for PCI
If a new regulation comes up you are already prepared