Site Archive (Complete)
ABOUT US | CONTACT | ADVERTISE | SUBSCRIBE | SOURCE CODE | CURRENT PRINT ISSUE | NEWSLETTERS | RESOURCES | BLOGS | PODCASTS | CAREERS
Security Blog: NIST Releases Security Whitepaper: For Managers
Security
Blog Home | Department Home | More Blogs |
Blog Home | Department Home | More Blogs |
EYE ON SECURITY

The World of Secure Development.

by Kevin Carlson
LOCK IT UP

... Keys to Better Security

by Neil Rerup
January 02, 2007

NIST Releases Security Whitepaper: For Managers

A whitepaper entitled Managing Enterprise Risk in Today’s World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost-Effective Information Security Programs, has been released by the National Institute of Standards and TechnologyNIST.

As its title suggests, this paper targets managers, which means it isn't overly technical. Still, it does provide an overview of the NIST Risk Management Framework and the associated standards and guidelines that support a enterprise information security program.

Don't miss the "The Golden Rules for Effective Information Security" in Appendix B. Sarcasm aside, they are good common-sense points, no matter how silly the title:

  • Develop an enterprise-wide information security strategy and game plan;
  • Get corporate “buy in” for the enterprise information security program -- effective programs start at the top;
  • Build information security into the infrastructure of the enterprise;
  • Establish level of “due diligence” for information security;
  • Focus initially on mission/business case impacts -- bring in threat information only when specific and credible;
  • Create a balanced information security program with management, operational, and technical security controls;
  • Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk;
  • Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data;
  • Harden the target; place multiple barriers between the adversary and enterprise information systems;
  • Be a good consumer -- beware of vendors trying to sell “single point solutions” for enterprise security problems;
  • Don’t be overwhelmed with the enormity or complexity of the information security problem -- take one step at a time and build on small successes;
  • Don’t tolerate indifference to enterprise information security problems; and
  • Manage enterprise risk; don’t try to avoid it -- use your information systems wisely.

Posted by Jon Erickson at 11:20 AM  Permalink



 
INFO-LINK


| All Feeds
© 2008 Think Services, Privacy Policy, Terms of Service, United Business Media LLC
Comments about the web site: webmaster@ddj.com
Related Sites: DotNetJunkies, SD Expo, SqlJunkies