The network of computers around the world is growing rapidly. The need of security is proportional to the growth of this network. As the need for security grows, so does the need for Standards and Practices. The NIST 800-14 is a document that contains general Standards and Practices that are to be implemented.
The National Performance Review (NPR) recommended as part of the National Information Infrastructure (NII) that the National Institute of Standards and Technology (NIST) develop generally accepted system security principles and practices for the federal government. These security principles and practices are to be applied in the use, protection, and design of government information and data systems, particularly front-line systems for delivering services electronically to citizens. The need for rules, standards, conventions and procedures that define accepted security practices was outlined in the 1991 National Research Council document Computers At Risk. Their recommendation called for the development of a comprehensive set of generally accepted system security principles (GSSP) which would clearly articulate essential security features, assurances, and practices. Work began on implementing the Computers At Risk recommendation in 1992 by several national and international organizations with an interest in computer security.
The Organization for Economic Co-operation and Development's (OECD) Guidelines for the Security of Information Systems were developed in 1992 by a group of international experts to provide a foundation from which governments and the private sector, acting singly and in concert, could construct a framework for securing IT systems. The OECD Guidelines are the current international guidelines which have been endorsed by the
The principles address computer security from a very high-level viewpoint. The principles are to be used when developing computer security programs and policy and when creating new systems, practices or policies. Principles are expressed at a high level, encompassing broad areas, e.g., accountability, cost effectiveness, and integration.
The practices guide organizations on the types of controls, objectives and procedures that comprise an effective IT security program. The practices show what should be done to enhance or measure an existing computer security program or to aid in the development of a new program. The practices provide a common ground for determining the security of an organization and build confidence when conducting multi-organizational business. The document provides the practices in a checklist format to assist organizations in reviewing their current policies and procedures against the common practices.
The document describes eight principles and fourteen practices. Each of the principles applies to each of the practices. The nature of the relationship between the principles and the practices varies. In some cases, practices are derived from one or more principles; in other cases practices are constrained by principles. For example, the Risk Management Practice is directly derived from the Cost-Effectiveness Principle. However, the Comprehensive and Reassessment Principles place constraints on the Risk Management Practice.
| | Principles | Practices |
| 1 | Computer Security Supports the | Policy (Program Policy, Issue-Specific Policy, System-Specific Policy) |
| 2 | Computer Security is an Integral Element of Sound Management | Program Management (Central Security Program, System-Level Program) |
| 3 | Computer Security Should Be Cost-Effective | Risk Management (Risk Assessment, Risk Mitigation, Uncertainty Analysis) |
| 4 | Systems Owners Have Security Responsibilities Outside Their Own Organizations | Life Cycle Planning (Initiation Phase, Development/Acquisition Phase, Implementation Phase, Operation/Maintenance Phase, Disposal Phase) |
| 5 | Computer Security Responsibilities and Accountability Should Be Made Explicit | Personnel/User Issues (Staffing, User Administration) |
| 6 | Computer Security Requires a Comprehensive and Integrated Approach | Preparing for Contingencies and Disasters (Identify Resources, Develop Scenarios, Develop Strategies, Test and Revise Plan) |
| 7 | Computer Security Should Be Periodically Reassessed | Computer Security Incident Handling |
| 8 | Computer Security is Constrained by Societal Factors | Awareness and Training |
| 9 | | Security Considerations in Computer Support and Operations |
| 10 | | Physical and Environmental Security |
| 11 | | Identification and Authentication |
| 12 | | Logical Access Control (Access Criteria, Access Control Mechanisms) |
| 13 | | Audit Trails (Audit Trail Records, Audit Trail Security, Audit Trail Reviews, Keystroke Monitoring) |
| 14 | | Cryptography |
The above given table shows the eight principles and the fourteen practices described in the document. It is therefore recommended that everybody and every organization follows the NIST 800-14 for the general principles and practices for securing their workplaces or technology in a better way.
References
[1]http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
[2]http://unokitty.freehostia.com/
Blog page : sunil86s.blogspot.com
No comments:
Post a Comment