Engineering Principles for Information Technology Security (A Baseline for Achieving Security)
NIST has completed Revision A of NIST Special Publication 800-27, Engineering Principles for Information Technology Security (A Baseline for Achieving Security). In response to public comments received after the release of the original document, Revision A updates SP 800-27 by grouping principles into categories to facilitate understanding and use.
Read the Article
|
COBIT Mapping
COBIT Control Objectives for Information and related Technology was originally released as an IT process and control framework linking IT to business requirements. It was initially used mainly by the assurance community in conjunction with business and IT process owners. Beginning with the addition of Management Guidelines in 1998, COBIT is now being used more and more as a framework for IT governance, providing management tools such as metrics and maturity models to complement the control framework.
Read the Article
|
NIST - Security Metrics Guide for Information Technology Systems
This document provides guidance on how an organization, through the use of metrics, identifies the adequacy of in-place security controls, policies, and procedures. It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate nonproductive controls. It explains the metric development and implementation process and how it can also be used to adequately justify security control investments. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports.
Read the Article
|
Using a Capability Maturity Model to Derive Security Requirements
This model provides industry best practice guidance without being specific as to how security solutions are implemented. A security engineer is often assigned to a project that already has defined security objectives. But on occasion, the security engineer may be tasked with the initial definition of the objectives. While this assignment may be exciting because of the important role the security engineer is to play, it may also be somewhat daunting due to the large solution space. In order to guide one's efforts in this task, the security engineer could turn to the Systems Security Engineering Capability Maturity Model (SSE-CMM). The SSE-CMM provides a broad list of "base practices" from which the security engineer can benefit when defining the objectives of the security implementation. This paper will discuss the use of these base practices in the formation of security requirements.
Read the Article
|
The New Common Criteria Security Evaluation Scheme and the Windows 2000 Evaluation
The award of Windows 2000 Common Criteria (CC) impacts everyone who uses, deploys, and manages Windows 2000 based infrastructures. Common Criteria provides a certain level of quality assurance by allowing customers to apply a consistent, stringent, and independently verified set of evaluation requirements. It also provides customers with detailed information on enabling higher security in their actual implementation and deployment of Windows 2000.
Read the Article
|
NIST - Guide for Mapping Types of Information and Information Systems to Security Categories
This guideline is less prescriptive for mission-based information than for administrative and support information because there is significantly less commonality of mission information types among agencies than is the case for administrative and support information. Types of information can normally be divided into information associated with administrative activities common to most agencies and information associated with an agency's mission-specific activities. In this guideline, administrative, management, and support information is referred to as management and support information. While specific administrative and support information types are identified in this guideline, the treatment of mission-based information focuses on general guidelines for identification of information types and assignment of impact levels.
Read the Article
|
Site Security Handbook
This handbook is a guide to developing computer security policies and procedures for sites that have systems on the Internet. The purpose of this handbook is to provide practical guidance to administrators trying to secure their information and services. The subjects covered include policy content and formation, a broad range of technical system and network security topics, and security incident response.
Read the Article
|
Information Security Gets a Seat at the Table
Basel II, like many complex issues, requires inter-disciplinary skills, information Security professionals have much to contribute. The issues, practices and even parts of the language are familiar. But to be effective, Information Security professionals need to do a better job of learning the "local language" of the industry they serve.
Read the Article
|
An Introduction to Certification and Accreditation
This paper will examine the C&A process, the guidance that helps define the Security Requirements, and the responsible parties and their roles, to provide a basic understanding of C&A.
Read the Article
|
The Trusted PC: Current Status of Trusted Computing
This paper, focusing on the Trusted Computing Group's standards, will provide an overview of trusted computing as it stands today: its methods, applications, possible pitfalls and current implementations.
Read the Article
|
