Cybersecurity Guidance Promotes Unified Information Security Framework
August 6, 2009 // Published as a news service by IHS
In a step toward creating a unified information security framework for the U.S. federal government, the National Institute of Standards and Technology (NIST) released NIST Special Publication 800-53 - Recommended Security Controls for Federal Information Systems and Organizations.
According to NIST, information systems at U.S. government civilian agencies have operated under different security controls than military and intelligence information systems.
The unified framework, said NIST, will result in the defense, intelligence and civil communities using a common strategy to protect critical federal information systems and associated infrastructure.
The NIST recommendations were developed based on several guiding principles, including conformance to the minimum security controls for information systems outlined in Federal Information Processing Standards (FIPS) 199 - Standards for Security Categorization of Federal Information and Information Systems.
According to the recommendations, an effective information security program should include:
- Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification or destruction of information and information systems that support the operations and assets of the organization.
- Policies and procedures based on risk assessments that cost-effectively reduce information security risks to an acceptable level and address information security throughout the life cycle of each organizational information system.
- Plans for providing adequate information security for networks, facilities, information systems or groups of information systems, as appropriate.
- Security awareness training to inform personnel (including contractors and other users) of the information security risks associated with their activities and their responsibilities in complying with organizational policies and procedures designed to reduce these risks.
- Periodic testing and evaluation (no less than annually) of the effectiveness of information security policies, procedures, practices and security controls to be performed with a frequency depending on risk.
- A process for planning, implementing, evaluating and documenting remedial actions to address deficiencies in the information security policies, procedures and practices of the organization.
- Procedures for detecting, reporting and responding to security incidents.
- Plans and procedures for continuity of operations for information systems that support the operations and assets of the organization.
"This final publication represents a solidification of the partnership between the (U.S.) Department of Defense, the intelligence community and NIST and their efforts to bring common security solutions to the federal government and its support contractors," said Ron Ross of NIST's computer security division.
"The aim is to provide greater protection for federal information systems against cyber attacks."
The recommendations may be found on NIST's Computer Security Resource Center web page.
Source: National Institute of Standards and Technology (NIST).