NIST issues 2 draft publications on IT security risk management
Two draft publications from the National Institute of Standards and Technology (NIST) lay the groundwork for a three-tiered risk-management approach that encompasses computer security risk planning from the highest levels of management to the level of individual systems.
The publications, which were released for public comment, are a part of NIST's risk management guidelines, developed in support of the Federal Information Security Management Act (FISMA) to be adopted government-wide to improve the security of government systems and information. Both call for upper-level management to understand that information security is a key component to mission-critical functions and that top managers need to manage information security risk in coordination with CIOs, chief information security officers and system owners to meet the organization's goals, according to NIST.
Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View (Special Publication 800-39) is the capstone document that applies a new perspective on how federal agencies and their contractors should manage information security risk, according to an NIST statement.
The new approach is important as organizations, including healthcare organizations, address advanced persistent threats, which have the potential to degrade or debilitate federal information systems that support critical applications and operations of the federal government, NIST stated.
SP 800-39, once finalized, will supersede Risk Management Guide for Information Technology Systems (SP 800-30) as the source for guidance on risk management, the institute stated. A revised version of SP 800-30 will provide guidance on risk assessment consistent with SP 800-39 and is expected to be published in 2011.
SP 800-39 is available here.
NIST is accepting comments on the draft of SP 800-39 until Jan. 25. Comments can be sent to sec-cert@nist.gov.
The initial public draft of a second new NIST publication, Information Security Continuous Monitoring for Federal Information Systems and Organizations (Special Publication 800-137), is a guide to developing and implementing a comprehensive continuous monitoring strategy for computer security risk management using a three-tiered approach: organization level, mission/business level and system level.
SP 800-137 is available here.
Comments on this draft can be sent to 800-137comments@nist.gov through March 15.
The publications, which were released for public comment, are a part of NIST's risk management guidelines, developed in support of the Federal Information Security Management Act (FISMA) to be adopted government-wide to improve the security of government systems and information. Both call for upper-level management to understand that information security is a key component to mission-critical functions and that top managers need to manage information security risk in coordination with CIOs, chief information security officers and system owners to meet the organization's goals, according to NIST.
Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View (Special Publication 800-39) is the capstone document that applies a new perspective on how federal agencies and their contractors should manage information security risk, according to an NIST statement.
The new approach is important as organizations, including healthcare organizations, address advanced persistent threats, which have the potential to degrade or debilitate federal information systems that support critical applications and operations of the federal government, NIST stated.
SP 800-39, once finalized, will supersede Risk Management Guide for Information Technology Systems (SP 800-30) as the source for guidance on risk management, the institute stated. A revised version of SP 800-30 will provide guidance on risk assessment consistent with SP 800-39 and is expected to be published in 2011.
SP 800-39 is available here.
NIST is accepting comments on the draft of SP 800-39 until Jan. 25. Comments can be sent to sec-cert@nist.gov.
The initial public draft of a second new NIST publication, Information Security Continuous Monitoring for Federal Information Systems and Organizations (Special Publication 800-137), is a guide to developing and implementing a comprehensive continuous monitoring strategy for computer security risk management using a three-tiered approach: organization level, mission/business level and system level.
SP 800-137 is available here.
Comments on this draft can be sent to 800-137comments@nist.gov through March 15.