Published on Isacaroma Newsletter (http://www.isacaroma.it/html/newsletter)

NIST: Information Security Handbook: A Guide for Managers (parte prima)

By Alain De Cristofaris

Creato 2006-11-14 08:13

061113-Nist-1 Il National Institute of Standards and Technology (NIST [1]) ha pubblicato una nuova guida sull’Information Security (pdf [2], 9,5 M o pdf zip [3] 7,5 M) dedicata i manager: "Information Security Handbook: A Guide for Managers: Recommendations of the National Institute of Standards and Technology" (176 pagine, data di pubblicazione: ottobre 2006). Gli autori sono Pauline Bowen, Joan Hash e Mark Wilson. In questa prima puntata analizzeremo i contenuti principali del documento; nelle successive puntate vedremo in dettaglio il capitolo dedicato all’Information Security Governance [4] e quello dedicato al Risk Management. Vorrei infine ringraziare gli amici di sikurezza.org [5] che per primi mi hanno segnalato [6] la pubblicazione della guida.

Overview

L’Information Security Handbook fornisce una completa overview degli elementi fondamentali dell’information security ed è volto ad assister il management aziendale nell’applicare un programma di sicurezza coerente ed efficace nelle proprie aziende.
I principali topics del documento fanno riferimento alle leggi e norme USA in ambito information security, quali il Clinger-Cohen Act del 1996, il Federal Information Security Management Act (FISMA) del 2002 e l’Office of Management and Budget (OMB) Circular A-130.
La pubblicazione si rivolge ai chief information officers (CIO), senior agency information security officers (SAISO), conosciuti anche come Chief Information Security Officers (CISO) ed ai security managers.
La guida sintetizza e approfondisce (in certi casi) una serie di standard e white paper già pubblicati dal NIST.

Indice del documento

1. Introduction

1.1 Purpose and Applicability
1.2 Relationship to Existing Guidance
1.3 Audience

2. Information Security Governance

2.1 Information Security Governance Requirements
2.2 Information Security Governance Components

2.2.1 Information Security Strategic Planning
2.2.2 Information Security Governance Structures
2.2.3 Key Governance Roles and Responsibilities

2.2.3.1 Agency Head
2.2.3.2 Chief Information Officer
2.2.3.3 Senior Agency Information Security Officer
2.2.3.4 Chief Enterprise Architect
2.2.3.5 Related Roles

2.2.4 Federal Enterprise Architecture (FEA)
2.2.5 Information Security Policy and Guidance
2.2.6 Ongoing Monitoring

2.3 Information Security Governance Challenges and Keys to Success

3. System Development Life Cycle

3.1 Initiation Phase
3.2 Development/Acquisition Phase
3.3 Implementation Phase
3.4 Operations/Maintenance Phase
3.5 Disposal Phase
3.6 Security Activities within the SDLC

4. Awareness and Training

4.1 Awareness and Training Policy
4.2 Components: Awareness, Training, Education, and Certification

4.2.1 Awareness
4.2.2 Training
4.2.3 Education
4.2.4 Certification

4.3 Designing, Developing, and Implementing an Awareness and Training Program

4.3.1 Designing an Awareness and Training Program
4.3.2 Developing an Awareness and Training Program
4.3.3 Implementing an Awareness and Training Program

4.4 Post-Implementation

4.4.1 Monitoring Compliance
4.4.2 Evaluation and Feedback

4.5 Managing Change
4.6 Program Success Indicators

5. Capital Planning and Investment Control

5.1 Legislative Overview
5.2 Integrating Information Security into the CPIC Process
5.3 Capital Planning and Investment Control Roles and Responsibilities
5.4 Identify Baseline
5.5 Identify Prioritization Criteria
5.6 Conduct System- and Enterprise-Level Prioritization
5.7 Develop Supporting Materials
5.8 IRB and Portfolio Management
5.9 Exhibits 53 and 300 and Program Management

6. Interconnecting Systems

6.1 Managing System Interconnections
6.2 Life-Cycle Management Approach

6.2.1 Phase 1: Planning the Interconnection
6.2.2 Phase 2: Establishing the Interconnection
6.2.3 Phase 3: Maintaining the Interconnection
6.2.4 Phase 4: Disconnecting the Interconnection

6.3 Terminating Interconnection

6.3.1 Emergency Disconnection
6.3.2 Restoration of Interconnection

7. Performance Measures

7.1 Metric Types
7.2 Metrics Development and Implementation Approach
7.3 Metrics Development Process
7.4 Metrics Program Implementation

7.4.1 Prepare for Data Collection
7.4.2 Collect Data and Analyze Results
7.4.3 Identify Corrective Actions
7.4.4 Develop Business Case and Obtain Resources
7.4.5 Apply Corrective Actions

8. Security Planning

8.1 Major Applications, General Support Systems, and Minor Applications
8.2 Security Planning Roles and Responsibilities

8.2.1 Chief Information Officer
8.2.2 Information System Owner
8.2.3 Information Owner
8.2.4 Senior Agency Information Security Officer
8.2.5 Information System Security Officer

8.3 Rules of Behavior
8.4 System Security Plan Approval

8.4.1 System Boundary Analysis and Security Controls
8.4.2 Security Controls
8.4.3 Scoping Guidance
8.4.4 Compensating Controls
8.4.5 Common Security Controls

8.5 Security Control Selection
8.6 Completion and Approval Dates
8.7 Ongoing System Security Plan Maintenance

9. Information Technology Contingency Planning

9.1 Step 1: Develop Contingency Planning Policy Statement
9.2 Step 2: Conduct Business Impact Analysis
9.3 Step 3: Identify Preventive Controls
9.4 Step 4: Develop Recovery Strategies
9.5 Step 5: Develop IT Contingency Plan
9.6 Step 6: Plan Testing, Training, and Exercises
9.7 Step 7: Plan Maintenance

10. Risk Management

10.1 Risk Assessment

10.1.1 Step 1 – System Characterization
10.1.2 Step 2 – Threat Identification
10.1.3 Step 3 – Vulnerability Identification
10.1.4 Step 4 – Risk Analysis
10.1.4.1 Control Analysis
10.1.4.2 Likelihood Determination
10.1.4.3 Impact Analysis
10.1.4.4 Risk Determination
10.1.5 Step 5 – Control Recommendations
10.1.6 Step 6 – Results Documentation

10.2 Risk Mitigation
10.3 Evaluation and Assessment

11. Certification, Accreditation, and Security Assessments

11.1 Certification, Accreditation, and Security Assessments Roles and Responsibilities

11.1.1 Chief Information Officer
11.1.2 Authorizing Official
11.1.3 Senior Agency Information Security Officer
11.1.4 Information System Owner
11.1.5 Information Owner
11.1.6 Information System Security Officer
11.1.7 Certification Agent
11.1.8 User Representatives

11.2 Delegation of Roles
11.3 The Security Certification and Accreditation Process
11.4 Security Certification Documentation
11.5 Accreditation Decisions
11.6 Continuous Monitoring
11.7 Program Assessments

12. Security Services and Products Acquisition

12.1 Information Security Services Life Cycle
12.2 Selecting Information Security Services

12.2.1 Selecting Information Security Services Management Tools.
12.2.2 Information Security Services Issues
12.2.3 General Considerations for Information Security Services

12.3 Selecting Information Security Products
12.4 Security Checklists for IT Products
12.5 Organizational Conflict of Interest

13. Incident Response

13.1 Preparation

13.1.1 Preparing for Incident Response
13.1.2 Preparing to Collect Incident Data
13.1.3 Preventing Incidents

13.2 Detection and Analysis
13.3 Containment, Eradication, and Recovery
13.4 Post-Incident Activity

14. Configuration Management

14.1 Configuration Management in the System Development Life Cycle
14.2 Configuration Management Roles and Responsibilities
14.3 Configuration Management Process

Appendix A – Acronyms List
Appendix B – Frequently Asked Questions

Fine prima parte.
Leggi seconda parte [7].

IsacaRoma Newsletter link

Altri articoli di Alain De Cristofaris

Intervista a Giampaolo Scafuro, vicepresidente di IISFA, musicista, organizzatore di "SecurPizza" [8]

Security Manager: il curriculum perfetto [9]

Security Manager: il curriculum perfetto – parte seconda [10]

Sicurezza e Compliance: quando il gioco si fa duro [11]

Source URL:
http://www.isacaroma.it/html/newsletter/node/384

Links:
[1] http://csrc.nist.gov/publications/nistpubs/index.html
[2] http://csrc.nist.gov/publications/nistpubs/800-100/sp800-100.pdf
[3] http://csrc.nist.gov/publications/nistpubs/800-100/NIST-SP-800-100.zip
[4] http://www.isacaroma.it/html/newsletter/node/386
[5] http://www.isacaroma.it/html/newsletter/node/58
[6] http://www.sikurezza.org/ml/11_06/msg00054.html
[7] http://www.isacaroma.it/html/newsletter/node/386
[8] http://www.isacaroma.it/html/newsletter/node/325
[9] http://www.isacaroma.it/html/newsletter/node/160
[10] http://www.isacaroma.it/html/newsletter/node/194
[11] http://www.isacaroma.it/html/newsletter/?q=node/152