Docstoc

What Is Information Technology Security

Document Sample
What Is Information Technology Security Powered By Docstoc
					        OMB A-11           NIST SP 800-26 Topic                             Implementation Guidance
                                   Area
Risk Assessment          1. Risk Management        ~ NIST SP 800-30, Risk Management Guide for Information Technology
                                                   Systems

Security Planning and    5. System Security Plan   ~ NIST SP 800-18, Guide for Developing Security Plans for Information
Policy                                             Technology Systems
Certification and        4. Authorize Processing   ~ Draft NIST SP 800-37, Guidelines for the Security Certification and
Accreditation            (C&A)                     Accreditation of Federal Information Technology Systems
                                                   ~ NIST SP 800-23 ,Guideline to Federal Organizations on Security Assurance
                                                   and Acquisition/Use of Tested/Evaluated Products.

Specific management,     11. Data Integrity        ~ NIST SP 800-53, Minimum Security Controls for Federal Information Security
operational,             16. Logical Access        Systems (under development)
and technical security   Controls                  ~ NIST SP 800-5, A Guide to the Selection of Anti-Virus Tools and Techniques.
controls                                           ~ NIST SP 800-7, Security in Open Systems.
                                                   ~ NIST SP 800-10, Keeping Your Site Comfortably Secure: An Introduction to
                                                   Internet Firewalls.
                                                   ~ NIST SP 800-19, Mobile Agent Security.
                                                   ~ NIST SP 800-8, Security Issues in the Database Language SQL
                                                   ~ NIST SP 800-11, The Impact of the FCC's Open Network Architecture on
                                                   NS/EP Telecommunications Security
                                                   ~ NIST SP 800-13, Telecommunications Security Guidelines for
                                                   Telecommunications Management Network
                                                   ~ NIST SP 800-24, PBX Vulnerability Analysis: Finding Holes in Your PBX
                                                   Before Someone Else Does
                                                   ~ NIST SP 800-28, Guidelines on Active Content and Mobile Code




1d53e404-a702-4daa-916e-895ba77aa8ca.xls                             1
Authentication or              15. Identification and    ~ NIST SP 800-21, Guideline for Implementing Cryptography in the Federal
cryptographic applications     Authentication            Government
                                                         ~ NIST SP 800-25, Federal Agency Use of Public Key Technology for Digital
                                                         Signatures and Authentication
                                                         ~ NIST SP 800-29 A Comparison on the Security Requirements for
                                                         Cryptographic Modules in FIPS 140-1 and FIPS 140-2
                                                         ~ FIPS 140-2, Security Requirments for Cryptographic Modules
                                                         ~ FIPS 83, Guideline On User Authentication Techniques For Computer
                                                         Network Access Control.
                                                         ~ FIPS 112, Standard On Password Usage.
Education, awareness, and 13. Security Awareness,        ~ NIST SP 800-16, Information Technology Security Training Requirements: A
training                  Training, and Education        Role and Performance-Based Model
                                                         ~ Second Draft NIST SP 800-50, Building an Information Technology Security
                                                         Awareness and Training Program

System reviews/evaluations 2. Review of Security         ~ Draft NIST SP 800-42, Guideline on Network Security Testing
(inc. ST&E)                Controls                      ~ Under development, NIST SP 800-53a, Techniques and Procedures for the
                                                         Verification of Security Controls in Federal Information Security Systems


Oversight or compliance                                  ~ Draft NIST SP 800-35, Guide to Information Technology Security Services
inspections                                              ~ NIST SP 800-18, Guide for Developing Security Plans for Information
                                                         Technology Systems.
                                                         ~ NIST SP 800-23 ,Guideline to Federal Organizations on Security Assurance
                                                         and Acquisition/Use of Tested/Evaluated Products


Development or                 3. Life Cycle             ~ OMB FISMA Reporting Guidance
maintenance of agency          2. Review of Security
reports to OMB and             Controls
corrective action plans as
they pertain to the specific
investment
Contingency planning and       9. Contingency Planning   ~ NIST SP 800-34 Contingency Planning Guide for Information Technology
testing                                                  Systems
                                                         ~ FIPS 87, Guidelines For ADP Contingency Planning




1d53e404-a702-4daa-916e-895ba77aa8ca.xls                                   2
Physical and environmental 8. Production, Input/output ~ NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook
controls for HW and SW     controls                    ~ FIPS 31, Guidelines For ADP Physical Security And Risk Management


Auditing and monitoring     17. Audit trails          ~ NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook
                                                      ~ NIST SP 800-6, Automated Tools for Testing Computer System Vulnerability.
                                                      ~ NIST SP 800-31, Intrusion Detection Systems (IDS).
                                                      ~ Under Development, Guide to Self-Testing Networks




Computer security            14. Incident Response    ~ NIST SP 800-3, Establishing a Computer Security Incident Response
investigations and forensics Capability               Capability (CIRC)

Reviews, inspections,                                 ~ Draft NIST SP 800-35, Guide to Information Technology Security Services
audits, and other
evaluations performed on
contractor facilities and
operations




1d53e404-a702-4daa-916e-895ba77aa8ca.xls                                3
            OMB A-11                  NIST SP 800-26 Topic Area                             Implementation Guidance
                                10. Hardware and Systems Software
                                Maintenance                               NIST SP 800-12, An Introduction to Computer Security:
                                12. Documentation
Configuration or change management control                                The NIST Handbook
                                                                          NIST SP 800-12, An Introduction to Computer Security:
Personnel security               6. Personnel Security                    The NIST Handbook
                                                                          NIST SP 800-12, An Introduction to Computer Security: The
                                                                          NIST Handbook
                                                                          FIPS 31, Guidelines For ADP Physical Security And Risk
Physical security                7. Physical Security                     Management
                                 6. Personnel Security
                                 7. Physical Security
                                 8. Production, Input/Output Controls
                                 9. Contingency Planning
                                 10. Hardware and Systems Software
                                 11. Data Integrity
                                 12. Documentation
                                 13. Security Awareness, Training, and    NIST SP 800-12, An Introduction to Computer Security:
                                 Education                                The NIST Handbook. NIST SP 800-26, The NIST Guide to Self
Operations security              14. Incident Response Capability         Assessment
                                 13. Security Awareness, Training,
Privacy training                 and Education                            None
Program/system evaluations
whose                                                                     NIST SP 800-12, An Introduction to Computer Security:
primary purpose is other than    2. Review of Security Controls.          The NIST Handbook. NIST SP 800-26, The NIST Guide to Self
security                         4. Authorize Processing.                 Assessment
                                 15. Identification and Authentication.
                                 16. Logical Access Controls.
System administrator functions   17. Audit Trails.                        Various (see definitions handout)
System upgrades with new
features that obviate
the need for other standalone
security controls                N/A                                      None

				
DOCUMENT INFO
Description: What Is Information Technology Security document sample