[ISN] NIST issues security drafts

From: InfoSec News (isn@private)
Date: Tue Sep 23 2003 - 08:01:24 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - September 22nd 2003"

    Forwarded from: William Knowles <wk@private>
    By Diane Frank 
    Sept. 22, 2003 
    The National Institute of Standards and Technology last week released 
    drafts of two security publications to help agencies define the levels 
    of security necessary for different types of information systems and 
    establish or fine-tune processes for handling security incidents. 
    The final draft of Federal Information Processing Standard (FIPS) 199, 
    "Standards for Security Categorization of Federal Information and 
    Information Systems," [1] is the first step in a series of standards, 
    guidelines and requirements mandated under the Federal Information 
    Security Management Act (FISMA) of 2002. The standard, released Sept. 
    17, outlines ways to link different types of federal information and 
    systems, and the risks each faces. NIST will later tie this to 
    guidance for the appropriate level of security, depending on the 
    assigned level of risk.
    The standard focuses on three security areas for information and 
    systems: confidentiality, integrity and availability. It then defines 
    three levels of potential impact on organizations or individuals if 
    any of those security areas are compromised. 
    Assigning a level of risk is not a clear-cut process, because it must 
    be considered in the context of each agency, states the draft, which 
    includes several examples of how to apply the three security areas and 
    three impact levels. The document, for instance, discusses the 
    difference between a system that needs high availability but holds 
    information that needs only low confidentiality measures, and a system 
    that can be offline for a period of time, but needs both high 
    confidentiality and integrity for its information.
    The institute on Sept. 15 released a draft of the Computer Security
    Incident Handling Guide (Special Publication 800-61) [2], intended to
    help agencies meet a FISMA requirement to establish some level of
    incident handling capability and report to the Office of Management
    and Budget and the Federal Computer Incident Response Center
    Incident Response Centers are receiving a lot of attention now because 
    of the number and severity of recent attacks, such as the Blaster worm 
    and SoBig.F virus that surfaced last month. Many agencies already have 
    such capabilities, but the latest guide is designed to help existing 
    and new organizations. 
    It outlines best practices within a response center, common policies 
    to work with outside partners, and examples of how a response center 
    fits within an agency's larger technology and policy structure. 
    The guidance is designed for the chief information officers and their 
    security staffs, and details sharing information, addressing morale 
    issues, the benefits and pitfalls of having an employee-staffed 
    response center or one that is partially outsourced, and other issues.
    Comments on the draft guidance may be sent to NIST by Oct. 15 at 
    [1] http://csrc.nist.gov/publications/drafts/draft-fips-pub-199.pdf
    [2] http://csrc.nist.gov/publications/drafts/draft_sp800-61.pdf
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 23 2003 - 11:53:15 PDT