[ISN] NIST prepping security guides

From: InfoSec News (isnat_private)
Date: Mon Jan 28 2002 - 00:58:23 PST

  • Next message: InfoSec News: "Re: [ISN] Backing Up Oracle's "Unbreakable" Vow"

    By Diane Frank 
    Jan. 28, 2002
    The National Institute of Standards and Technology's security team
    will be releasing more than 30 guides over the coming year to help
    agencies with many crucial technical and policy security concerns,
    officials said last week.
    The NIST Computer Security Resource Center released four draft guides
    for comment during the past two months, addressing telecommuting
    security, information technology contingency plans, securely
    connecting IT systems, and using common definitions for security
    vulnerabilities. Under the Computer Security Act of 1987, NIST serves
    as the primary technical resource for civilian agencies.
    But those four guides are only the beginning of what will be a very
    busy year for the center and its contractors. In fiscal 2002, they
    plan to release almost three times the usual number of guides, said
    Tim Grance, manager of the systems and network security group.
    These guides, including those listed below, will be grouped into four 
    * Broad guidance in high-impact areas, such as incident handling, 
      security certification and accreditation, security metrics and 
      determining security return on investment.
    * Procurement strategy, including a user guide for understanding the 
      Common Criteria international evaluation scheme and a guide to 
      procuring managed security services.
    * Point solutions for technical and policy areas, such as applying 
      security patches, securing public Web servers, smart cards, 
      public-key infrastructure directories, and e-mail security issues 
      and solutions.
    * Security of emerging technologies, particularly securing wireless 
    All of the NIST guides will be released for comment to help fine-tune
    them for agency needs, and the center is always looking for assistance
    in determining whether it is focusing on the right areas to be of
    assistance to agencies, Grance said.
    In addition, the center plans to release in March an automated tool to
    help agencies perform security self-assessments, based on a guide
    released last year in partnership with the federal CIO Council's
    Federal IT Security Assessment Framework. In January 2001, the Office
    of Management and Budget recommended agencies use the framework and
    guide as the basis for the self-assessments required under the
    Government Information Security Reform Act.
    The center's staff members also will be reviewing existing guides and
    standards to ensure consistency with current legislation and policy,
    discover if there is any redundancy, and determine the need for
    additional guidance beyond what is already planned, said Joan Hash,
    director of the center's security, management and guidance group.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 04:08:03 PST