[ISN] ITL Bulletin for June 2004

From: InfoSec News (isn@private)
Date: Wed Jun 16 2004 - 05:46:43 PDT

  • Next message: InfoSec News: "[ISN] Blackout hits major Web sites"

    Forwarded from: Elizabeth Lennon <elizabeth.lennon@private>
    Shirley Radack, Editor
    Computer Security Division
    Information Technology Laboratory
    National Institute of Standards and Technology
    Technology Administration
    U.S. Department of Commerce
    Organizations often need expert assistance in maintaining and
    improving the security of their information technology (IT) systems.
    Whether they get this assistance from internal sources or from
    commercial vendors of security services, organizations must review and
    evaluate the sources before committing to service agreements. A
    carefully managed process can help assure that sound decisions are
    made and that system security is strengthened.
    Guide to Information Technology Security Services
    NIST's Information Technology Laboratory recently published NIST
    Special Publication (SP) 800-35, Guide to Information Technology
    Security Services, Recommendations of the National Institute of
    Standards and Technology, which provides guidance to help
    organizations negotiate the many complexities and challenges in
    selecting information technology security services. Written by Tim
    Grance, Joan Hash, Marc Stevens, Kristofor O'Neal, and Nadya Bartol,
    NIST SP 800-35 helps those who are responsible for selecting,
    implementing, and managing their organization's IT security services.
    NIST recommends that organizations adopt systematic evaluation and
    decision processes to guide their selection of IT security services
    and to satisfy their security requirements. This ITL Bulletin
    summarizes the new IT services selection guide.
    The foundation for the selection of IT security services is a
    comprehensive information security management program, including risk
    management procedures that are applied throughout the System
    Development Life Cycle (SDLC). This same process also underlies the
    selection of IT security products, the focus of our April 2004 ITL
    Bulletin covering NIST SP 800-36, Guide to Selecting Information
    Technology Security Products.
    NIST SP 800-35 discusses the roles and responsibilities of the people
    within an organization who select, implement and manage the security
    services life cycle. It provides an overview of the security services
    life cycle and describes the issues to be addressed concerning
    security services.  Examples of specific services are described. The
    appendices include lists of references and acronyms, an outline of a
    security services provider agreement, sample acquisition language, and
    answers to frequently asked questions.
    The services selection guide is available in electronic format from
    the NIST Computer Security Resource Center at
    http://csrc.nist.gov/publications. When used with other NIST
    publications, including those listed in the More Information section
    at the end of this bulletin, the guide will help organizations develop
    a comprehensive approach to organizing their overall IT security
    efforts, managing risks, and using IT security services.
    People Responsible For Security Services
    The people responsible for selecting, implementing, and managing
    services within an organization will vary depending upon the type and
    scope of the service needed, the service arrangement, and the size of
    the organization.  Larger organizations that use external security
    service providers extensively will have different requirements and
    more people involved than smaller organizations with more limited
    The people who may be involved in the process include the following:
    * Chief Information Officer, who is responsible for the organization's
    IT planning, budgeting, investment, performance, and acquisition;
    * Contracting Officer, who has authority to enter into, administer,
    and terminate contracts;
    * Contracting Officer's Technical Representative, who is appointed by
    the Contracting Officer to manage the technical aspects of a
    particular contract;
    * IT Investment Board (or equivalent), which is responsible for
    planning and for managing the capital planning and investment control
    process for federal agencies, as specified in the Information
    Technology Management Reform Act of 1996 (Clinger-Cohen Act);
    * IT Security Program Manager, who is responsible for developing
    enterprise standards for IT security, coordinating and performing
    system risk analyses, analyzing alternatives for minimizing risks, and
    supporting the acquisition of appropriate security solutions;
    * IT System Security Officer, who is responsible for ensuring the
    security of an information system throughout its life cycle;
    * Program Manager, who owns the data, initiates the procurement, is
    involved in strategic planning and is aware of functional services
    * Privacy Officer, who assures that the service and service
    arrangement meet privacy policies regarding the protection,
    dissemination, and disclosure of information; and/or
    * Other participants, who may include the system certifier and
    accreditor, system users, and people representing information
    technology, configuration management, design, engineering, and
    facilities groups.
    IT Security Life Cycle
    The SDLC provides the framework that enables the IT security decision
    makers to organize their IT security efforts-from initiation to
    closeout. The systematic management of the IT security services
    process fits into this framework. The organization's IT security is
    critically dependent upon the careful consideration of the many issues
    connected to security services, and to the prudent management of
    organizational risks. IT security decision makers must think about the
    costs involved and the underlying security requirements, as well as
    the potential impact of their decisions on the organizational mission,
    operations, strategic functions, personnel, and service provider
    The selection, implementation, and management of security services are
    included in the following six phases of the IT security life cycle:
    * Phase 1: Initiation-the organization determines if it should
    investigate whether implementing an IT security service might improve
    the effectiveness of the organization's IT security program.
    * Phase 2: Assessment-the organization determines the security posture
    of the current environment using metrics and identifies the
    requirements and viable solutions.
    * Phase 3: Solution-decision makers evaluate potential solutions,
    develop the business case, and specify the attributes of an acceptable
    service arrangement solution from the set of available options.
    * Phase 4: Implementation-the organization selects and engages the
    service provider, develops a service arrangement, and implements the
    * Phase 5: Operations-the organization ensures operational success by
    consistently monitoring service provider and organizational security
    performance against identified requirements, periodically evaluating
    changes in risks and threats to the organization and ensuring the
    organizational security solution is adjusted as necessary to maintain
    an acceptable security posture.
    * Phase 6: Closeout-the organization ensures a smooth transition as
    the service ends or is discontinued.
    Security Services:  Issues and Types
    The factors to be considered when selecting, implementing, and
    managing IT security services include the type of service arrangement;
    service provider qualifications, operational requirements and
    capabilities, experience, and viability; trustworthiness of service
    provider employees;  and the service provider's capability to deliver
    adequate protection for the organization systems, applications, and
    information. These considerations will apply to some degree to every
    service depending on the size, type, complexity, cost, and criticality
    of the services being considered and the specific needs of the
    organization implementing or contracting for the services.
    An effective security program has many layers of protection. Using
    risk management procedures, organizations should evaluate the value of
    their systems and their information, and then select the security
    controls that are appropriate for the determined levels of risk.
    Security programs at both the organizational and system levels should
    include an appropriate mix of management, operational, and technical
    controls. Technical controls alone are not sufficient for robust
    Security services can be obtained to assist organizations in
    addressing these management, operational, and technical issues:
    * Management Services:  Techniques and concerns normally addressed by
    management in the organization's information security program,
    including managing risks. These services help organizations develop
    and maintain their security programs, effectively implement and
    evaluate their programs, develop security architectures, and evaluate
    IT security products.
    * Operational Services:  Services focused on controls implemented and
    executed by people, often requiring technical or specialized expertise
    and relying on management activities and technical controls. These
    services include assistance with contingency planning, the
    establishment of incident handling processes, the testing of security
    controls, and conducting security training.
    * Technical Services:  Services focused on the security controls that
    a system executes, and dependent on the proper function of the system
    for effectiveness.  These services include firewall installation and
    maintenance, intrusion detection systems, and the design and
    development of a Public Key Infrastructure (PKI) system.
    While not every available security service is discussed in the guide,
    the issues and considerations related to the services life cycle are
    presented. These issues and considerations should be useful in meeting
    current needs and in addressing future needs as technology changes.
    NIST Recommendations
    NIST recommends that organizations planning to acquire IT security
    services should:
    * Develop careful, objective business cases. The need for an IT
    security service should be supported by the business needs of the
    organization. A business case containing an analysis of the proposed
    solution, cost estimate, benefits analysis, project risk analysis, and
    an evaluation of other considered alternatives should provide
    sufficient documentation to describe and support these needs.
    * Develop strong, specific service agreements that define the
    expectations of performance for each required security control,
    describe measurable outcomes, and identify remedies and response
    requirements for any identified instances of noncompliance.
    * Use metrics throughout the IT security life cycle.  Metrics will
    provide the objective data to evaluate the baseline level of service
    in the assessment phase and assess service provider performance in the
    operations phase. Wherever possible, metrics should be selected to
    indicate progress toward the achievement or maintenance of a security
    condition that meets an underlying organizational need.
    * Develop processes and procedures that can effectively track the
    myriad service agreements and the metrics that will be applied
    throughout the life cycle of the many different and disparate IT
    security services within an organization.
    * Ensure that an appropriate transition (bedding in) period is in
    place between an existing service provider or capability and the new
    service provider.
    * Maintain the technical expertise necessary to understand and manage
    the security service being provided and to protect the data critical
    to an organization's mission.
    * Pay careful attention to six issue areas:  strategy/mission,
    budget/funding, technology/architecture, organization, personnel, and
    More Information
    Federal organizations should consult OMB Circular A-76, Performance of
    Commercial Activities, for information on establishing the foundation
    for decisions concerning whether activities should be performed under
    contract with a commercial activity or performed in-house using
    government facilities and personnel.
    For a complete list of references to publications and web pages with
    information that can help you in selecting, implementing, and managing
    IT security services, consult Appendix A of NIST SP 800-35.
    NIST Special Publications, including the following, are available in
    electronic format from the Computer Security Resource Center at
    NIST SP 800-12, An Introduction to Computer Security: The NIST
    Handbook, provides guidance on the fundamentals of information system
    security and an introduction to the selection of security controls and
    NIST SP 800-16, Information Technology Security Training Requirements:
    A Role- and Performance-Based Model, explains a framework for IT
    security training requirements and emphasizes results-based learning.
    NIST SP 800-18, Guide for Developing Security Plans for Information
    Technology Systems, discusses developing and updating security plans.
    NIST SP 800-23, Guideline to Federal Organizations on Security
    Assurance and Acquisition/Use of Tested/Evaluated Products, discusses
    the concept of assurance in the acquisition and use of security
    NIST SP 800-25, Federal Agency Use of Public Key Technology for
    Digital Signatures and Authentication, assists federal agencies in
    using PKI for digital signatures and authentication over open
    NIST SP 800-30, Risk Management Guide for Information Technology
    Systems, discusses the risk-based approach to security and provides
    guidance on conducting risk assessments.
    NIST SP 800-31, Intrusion Detection Systems (IDS), and NIST SP 800-41,
    Guidelines on Firewalls and Firewall Policy, provide information on
    using and deploying IDSs and firewalls.
    NIST SP 800-32, Introduction to Public Key Technology and the Federal
    PKI Infrastructure, advises federal organizations on how to determine
    if a PKI is appropriate for them and how to use PKI services
    NIST SP 800-33, Underlying Technical Models for Information Technology
    Security, provides information on IT security engineering principles
    and concepts for IT systems.
    NIST SP 800-34, Contingency Planning Guide for Information Technology
    Systems, guides organizations in preparing and maintaining IT
    contingency plans.
    NIST SP 800-36, Guide to Selecting Information Technology Security
    Products, helps organizations select cost-effective and useful
    products for their IT systems.
    NIST SP 800-37, Guide for the Security Certification and Accreditation
    of Federal Information Systems, describes the fundamental concepts of
    the certification and accreditation processes, and details the various
    tasks in the processes.
    NIST SP 800-42, Guideline on Network Security Testing, describes
    available security testing techniques, their strengths and weaknesses,
    and the recommended frequencies for testing as well as strategies for
    deploying network security testing.
    NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth, and
    Handheld Devices, discusses wireless security issues for local area
    networks, personal area networks, and handheld devices.
    NIST SP 800-50, Building an Information Technology Security Awareness
    and Training Program, provides guidelines to help federal
    organizations meet their security training responsibilities and build
    a comprehensive awareness and training program.
    NIST SP 800-53, Recommended Security Controls for Federal Information
    Systems, provides information about selecting security controls to
    meet the security requirements for the system (available in draft at
    NIST SP 800-55, Security Metrics Guide for Information Technology
    Systems, helps organizations understand the importance of using
    metrics and developing a metrics program.
    NIST SP 800-64, Security Considerations in the Information System
    Development Life Cycle, discusses the analysis of system security
    requirements and methods for incorporating security into IT
    Any mention of commercial products or reference to 
    commercial organizations is for information only; it does 
    not imply recommendation or endorsement by NIST nor does it 
    imply that the products mentioned are necessarily the best 
    available for the purpose.
    Elizabeth B. Lennon
    Information Technology Laboratory
    National Institute of Standards and Technology
    100 Bureau Drive, Stop 8900
    Gaithersburg, MD 20899-8900
    Telephone (301) 975-2832
    Fax (301) 840-1357
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Wed Jun 16 2004 - 06:25:58 PDT