Homework Soursecreate your own Security Management Model using the NIST Spe
create your own Security Management Model using the NIST Special Publication 800-14 and Evaluate and apply NIST SP 800-26.
Solution
NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint.
It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP 800-12.
The more significant points made in NIST SP 800-14 are as follows:
1)Security Supports the Mission of the Organization.
2)Security is an Integral Element of Sound Management.
3)Security Should Be Cost-Effective
4)Systems Owners Have Security Responsibilities Outside Their Own Organizations.
5)Security Responsibilities and Accountability Should Be Made Explicit.
6)Security Requires a Comprehensive and Integrated Approach.
7)Security Should Be Periodically Reassessed.
8)Security is Constrained by Societal Factors.
It enumerates 33 principles for Securing Information Technology Systems:
Principle 1. Establish a sound security policy as the “foundation” for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies.
Principle 4. Reduce risk to an acceptable level.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness.
Principle 7. Implement layered security (Ensure no single point of vulnerability).
Principle 8. Implement tailored system security measures to meet organizational security goals.
Principle 9. Strive for simplicity.
Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response.
Principle 11. Minimize the system elements to be trusted.
Principle 12. Implement security through a combination of measures distributed physically and logically.
Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats.
Principle 14. Limit or contain vulnerabilities.
Principle 15. Formulate security measures to address multiple overlapping information domains.
Principle 16. Isolate public access systems from mission critical resources.
Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures.
Principle 18. Where possible, base security on open standards for portability and interoperability.
Principle 19. Use common language in developing security requirements.
Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations.
Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process.
Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
Principle 23. Use unique identities to ensure accountability.
Principle 24. Implement least privilege.
Principle 25. Do not implement unnecessary security mechanisms.
Principle 26. Protect information while being processed, in transit, and in storage.
Principle 27. Strive for operational ease of use.
Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.
Principle 29. Consider custom products to achieve adequate security.
Principle 30. Ensure proper security in the shutdown or disposal of a system.
Principle 31. Protect against all likely classes of “attacks.”
Principle 32. Identify and prevent common errors and vulnerabilities.
Principle 33. Ensure that developers are trained in how to develop secure software.
NIST Special Publication 800-18
NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint.
It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP 800-12.
The more significant points made in NIST SP 800-14 are as follows:
1)Security Supports the Mission of the Organization.
2)Security is an Integral Element of Sound Management.
3)Security Should Be Cost-Effective
4)Systems Owners Have Security Responsibilities Outside Their Own Organizations.
5)Security Responsibilities and Accountability Should Be Made Explicit.
6)Security Requires a Comprehensive and Integrated Approach.
7)Security Should Be Periodically Reassessed.
8)Security is Constrained by Societal Factors.
It enumerates 33 principles for Securing Information Technology Systems:
Principle 1. Establish a sound security policy as the “foundation” for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies.
Principle 4. Reduce risk to an acceptable level.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness.
Principle 7. Implement layered security (Ensure no single point of vulnerability).
Principle 8. Implement tailored system security measures to meet organizational security goals.
Principle 9. Strive for simplicity.
Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response.
Principle 11. Minimize the system elements to be trusted.
Principle 12. Implement security through a combination of measures distributed physically and logically.
Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats.
Principle 14. Limit or contain vulnerabilities.
Principle 15. Formulate security measures to address multiple overlapping information domains.
Principle 16. Isolate public access systems from mission critical resources.
Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures.
Principle 18. Where possible, base security on open standards for portability and interoperability.
Principle 19. Use common language in developing security requirements.
Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations.
Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process.
Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
Principle 23. Use unique identities to ensure accountability.
Principle 24. Implement least privilege.
Principle 25. Do not implement unnecessary security mechanisms.
Principle 26. Protect information while being processed, in transit, and in storage.
Principle 27. Strive for operational ease of use.
Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.
Principle 29. Consider custom products to achieve adequate security.
Principle 30. Ensure proper security in the shutdown or disposal of a system.
Principle 31. Protect against all likely classes of “attacks.”
Principle 32. Identify and prevent common errors and vulnerabilities.
Principle 33. Ensure that developers are trained in how to develop secure software.
NIST Special Publication 800-18
NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint.
It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP 800-12.
The more significant points made in NIST SP 800-14 are as follows:
1)Security Supports the Mission of the Organization.
2)Security is an Integral Element of Sound Management.
3)Security Should Be Cost-Effective
4)Systems Owners Have Security Responsibilities Outside Their Own Organizations.
5)Security Responsibilities and Accountability Should Be Made Explicit.
6)Security Requires a Comprehensive and Integrated Approach.
7)Security Should Be Periodically Reassessed.
8)Security is Constrained by Societal Factors.
It enumerates 33 principles for Securing Information Technology Systems:
Principle 1. Establish a sound security policy as the “foundation” for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies.
Principle 4. Reduce risk to an acceptable level.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness.
Principle 7. Implement layered security (Ensure no single point of vulnerability).
Principle 8. Implement tailored system security measures to meet organizational security goals.
Principle 9. Strive for simplicity.
Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response.
Principle 11. Minimize the system elements to be trusted.
Principle 12. Implement security through a combination of measures distributed physically and logically.
Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats.
Principle 14. Limit or contain vulnerabilities.
Principle 15. Formulate security measures to address multiple overlapping information domains.
Principle 16. Isolate public access systems from mission critical resources.
Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures.
Principle 18. Where possible, base security on open standards for portability and interoperability.
Principle 19. Use common language in developing security requirements.
Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations.
Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process.
Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
Principle 23. Use unique identities to ensure accountability.
Principle 24. Implement least privilege.
Principle 25. Do not implement unnecessary security mechanisms.
Principle 26. Protect information while being processed, in transit, and in storage.
Principle 27. Strive for operational ease of use.
Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability.
Principle 29. Consider custom products to achieve adequate security.
Principle 30. Ensure proper security in the shutdown or disposal of a system.
Principle 31. Protect against all likely classes of “attacks.”
Principle 32. Identify and prevent common errors and vulnerabilities.
Principle 33. Ensure that developers are trained in how to develop secure software.
NIST Special Publication 800-26
Management Controls
1. Risk Management
2. Review of Security Controls
3. Life Cycle Maintenance
4. Authorization of Processing (Certification and Accreditation)
5. System Security Plan
Operational Controls
6. Personnel Security
7. Physical Security
8. Production, Input/Output Controls
9. Contingency Planning
10. Hardware and Systems Software
11. Data Integrity
12. Documentation
13. Security Awareness, Training, and Education
14. Incident Response Capability
Technical Controls
15. Identification and Authentication
16. Logical Access Controls
17. Audit Trails
NIST SP 800-26 - Security Self-Assessment Guide for Information Technology Systems describes seventeen areas that span managerial, operational and technical controls.
The 17 areas listed are the core of the NIST security management structure.
NIST Special Publication 800-30
NIST SP 800-30 - Risk Management Guide for Information Technology Systems provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems.
The ultimate goal is to help organizations to better manage IT-related mission risks.
