The NIST Special Publications

for Security Management

By: Waylon Coulter

 The NIST Publications
SP 800-12: An Introduction to Computer Security:
The NIST Handbook
SP 800-14: Generally Accepted Security Principles
and Practices
SP 800-18: Guide for Developing Security Plans
SP 800-26: Security Self-Assessment Guide for IT
Systems
SP 800-30: Risk Management Guide for IT Systems
 Reasons for Using NIST
Documents
Publicly available at no charge.
Have been broadly reviewed by
government and industry professionals
Help develop a security framework for the
organization
 SP 800-12: Computer Security
Handbook
Extremely good reference for routine
management
Little guidance supplied for designing and
implementing of new systems
Supplement to help gain a good solid
understanding of security terminology and
the background
Information Found in SP 800-12
Draws upon the OECDs guidelines for the Security of
Information Systems

Accountability Timeliness
Awareness Reassessment
Ethics Democracy
Multidisciplinary Integration
Proportionality
 Controls

The NIST SP 800-12 lays out philosophy

on security management by organizing
controls into three categories
1. Management Controls
2. Operational Controls
3. Technical Controls
There are 17 controls in these categories
and are discussed in the SP 800-26
 Management Controls
Address security topics that can be
categorized as managerial
Techniques and concerns that are
addressed by management in the
organization
Focus on management of risk and the
computer security program
 Technical Controls
Focus on controls that the computer
executes
Controls depend on the proper functioning
of systems
Always require significant operational
considerations
Should be consistent with management of
security in the organization
 SP 800-14 Generally Accepted
Principles and Practices for
Securing IT Systems
Describes best practices and information
on commonly accepted information
security principles that can be used to
develop a security blue print
Describes principles that should be
integrated into the information security
process
 Significant Points Made in the
SP 800-14
Security Supports the Mission of the Organization
The implementation of information security is not independent of the
organizations mission it is driven by it.
The information security program MUST support and further the
organizations mission

Security Is an Integral Element of Sound Management.

Security supports the planning function when information security
policies provide input into organization initiatives, and supports the
controlling functions enforce both managerial and security policies.
 Significant Points Continued
Security Should Be Cost-Effective.
The costs of information security should be considered part of the cost
of doing business.
Information security should justify its own costs
Security measures whose costs outweigh their benefits should be
rationalized.

Systems Owners Have Security Responsibilities Outside Their Own

Organizations
When systems use data from clients, customers, partners, and others,
the security of the data is a huge security responsibility
 Significant Points Continued
Security Responsibilities and Accountability Should Be Made
Explicit
Policy documents should clearly identify the security responsibility of
users, administrators, and managers.
Security Requires Comprehensive and Integrated Approach
Security is everyones responsibility
Security should Be Periodically Reassessed
Security is an ongoing process
To remain effective, the security process must be periodically repeated
Security is Constrained by Societal Factors
Legal demands, shareholder requirements, and even business practices
affect the implementation of security controls.
Principles for Securing IT Systems
Establish a sound security policy as the foundation
for the design.
Treat security as an integral part of the overall system
design.
Clearly delineate the physical and logical security
boundaries governed by associated security policies.
Reduce risk to an acceptable level.
Assume that external systems are insecure.
Identify potential trade-offs between reducing risk and
increased costs and decreases in other aspects of
operational effectiveness.
 More Principles
Implement layered security (ensure no single
point of vulnerability).
Implement tailored system security measures
to meet organizational security goals.
Strive for simplicity.
Design and operate an IT system to limit
vulnerability and to be resilient in response.
Minimize the system elements to be trusted.
Implement security through a combination of
measures distributed physically and logically.
 More Principles
Provide assurance that the system is, and
continues to be, resilient in the face of
expected threats.
Limit or contain vulnerabilities.
Formulate security measures to address
multiple overlapping information domains.
Isolate public access systems from mission-
critical resources (e.g. data processes).
Use boundary mechanisms to separate
computing systems and network
infrastructures.
 More Principles
Where possible, base security on open standards for
portability and interoperability.
Use a common language in developing security
requirements.
Design and implement audit mechanisms to detect
unauthorized use and to support incident
investigations.
Design security to allow for regular adoption of new
technologies, including a secure and logical
technology upgrade process.
Authenticate users and processes to ensure
appropriate access control decisions both within and
across domains
 More Principles
Use unique identities to ensure accountability.
Implement least privilege, which is the process of
granting the lowest level of access consistent with
accomplishing the assigned role.
Do not implement unnecessary security mechanisms.
Protect information while being processed, in transit,
and in storage.
Strive for operational ease of use.
Develop and exercise contingency or disaster recovery
procedures to ensure appropriate availability.
 More Principles
Consider custom products to achieve
adequate security.
Ensure proper security in the shutdown or
disposal of a system.
Protect against all likely classes of attacks.
Identify and prevent common errors and
vulnerabilities.
Ensure that developers are trained in how to
develop secure software.
 SP 800-18: Guide for Developing
Security Plans for IT Systems
Details methods for assessing, designing,
and implementing controls and plans for
various-sized applications
Provides templates for major application
security plans
SP 800-18 must be customized to fit the
particular needs of any organization
 SP 800-26: Security Self-
Assessment Guide for IT Systems
Describes 17 areas that span the three
different types of controls
Form the core of the NIST security
management structure.
 Management Controls
Risk Management
Review of Security Controls
Life Cycle Maintenance
Authorization of Processing (Certification
and Accreditation)
System Security Plan
 Operational Controls
Personnel Security
Physical Security
Production, Input/Output Controls
Contingency Planning
Hardware and Systems Software
Data Integrity
Documentation
Security Awareness, Training, and Education
Incident Response Capacity
 Technical Controls
Identification and Authentication
Logical Access Controls
Audit Trails
 SP 800-30: Risk Management Guide
for IT Systems
Provides foundation for development of an
effective risk management program.
The ultimate goal is to help organizations
better manage IT-related mission risk.
The guide helps to develop and evaluate
the risk management process.
 References
National Institute of Standards and Technology Special Publication
800-12, An Introduction to Computer Security: The NIST Handbook,
October 1995.
National Institute of Standards and Technology Special Publication
800-14, Generally Accepted Principles and Practices for Securing
Information Technology Systems, September 1996.
National Institute of Standards and Technology Special Publication
800-18, Guide for Developing Security Plans for Federal Information
Systems, February 2006.
National Institute of Standards and Technology Special Publication
800-26, Security Self-Assessment Guide for Information Technology
Systems, November 2001.
National Institute of Standards and Technology Special Publication
800-30, Risk Management Guide for Information Technology
Systems, July 2002.