Two NIST Publications Recommend Organization-Wide IT Security Risk Management -- Security Today

Two NIST Publications Recommend Organization-Wide IT Security Risk Management

Jan 07, 2011

Two new draft publications from the National Institute of Standards and Technology (NIST) provide the groundwork for a three-tiered risk-management approach that encompasses computer security risk planning from the highest levels of management to the level of individual systems. The draft documents have been released for public comment.

Both publications are a part of NIST’s risk management guidelines, which have been developed in support of the Federal Information Security Management Act (FISMA), and adopted government wide to improve the security of government systems and information.

Both call for upper-level management to understand that information security is a key component to mission-critical functions and that top managers need to manage information security risk in coordination with chief information officers, chief information security officers and system owners to meet the organization’s goals.

Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View (Special Publication 800-39, available in pdf format at http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-39), is the capstone document that applies this new perspective on how federal agencies and their contractors should manage information security risk.

“Most organizations currently manage risk using a tactical, system-by-system approach,” said Ron Ross, NIST Fellow and FISMA Implementation Project Leader. “This new framework suggests a three-tiered risk management approach that moves from organization to missions to information systems. The goal is for senior leaders and executives to manage risks strategically and drive investment and operational decisions based on the organization’s core missions and business functions.”

The new approach is particularly important as organizations address advanced persistent threats, which have the potential to degrade or debilitate federal information systems that support critical applications and operations of the federal government.

This publication is the fourth in the series developed by the Joint Task Force Transformation Initiative, a joint partnership among the Department of Defense, the Intelligence Community, NIST, and the Committee on National Security Systems. This draft provides significant changes from earlier versions of the publication and includes input from all partners in the Joint Task Force.

SP 800-39, once finalized, will supersede Risk Management Guide for Information Technology Systems (SP 800-30) as the source for guidance on risk management. A revised version of SP 800-30 will provide guidance on risk assessment consistent with SP 800-39 and is expected to be published in 2011.

Comments are requested on the draft of SP800-39. Please send them to sec-cert@nist.gov by Jan. 25.

The initial public draft of a second new NIST publication, Information Security Continuous Monitoring for Federal Information Systems and Organizations (Special Publication 800-137, available in pdf format at http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-137), is a guide to developing and implementing a comprehensive continuous monitoring strategy for computer security risk management using a three-tiered approach, organization level, mission/business level and system level. A robust strategy for continuous monitoring of information security helps maintain ongoing awareness of information security and ensures that organizational security practice reflects the organization’s risk tolerance. It helps ensure that accurate, up-to-date information is available to enable timely risk management decisions.

“SP 800-137 encourages a holistic approach to managing risk through information security continuous monitoring.” said IT Specialist Kelley Dempsey. The publication describes how to develop a comprehensive continuous monitoring strategy. It provides methods to implement a continuous monitoring program including determination of measures and metrics, determination of monitoring frequencies, review and analysis of security-related information, response to information security risk, and revision of the strategy.

Featured

Survey Shows Election Anxiety Crosses Party Lines

New reports of election worker intimidation are raising concerns about election interference. A majority of Americans (71%) are worried about voter intimidation or safety at the polls, and 75% want security cameras at their voting place, according to a new national survey. Read Now
- Facility Security
66 Percent of Cybersecurity Pros Say Job Stress is Growing

Sixty-six percent of cybersecurity professionals say their role is more stressful now than it was five years ago, according to the newly released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now
- Cybersecurity
Live from GSX 2024: Post-Show Recap

Another great edition of GSX is in the books! We’d like to thank our great partners for this years event, NAPCO, LVT, Eagle Eye Networks and Hirsch, for working with us and allowing us to highlight some of the great solutions the companies were showcasing during the crowded show. Read Now
- Industry Events
- GSX
Research: Cybersecurity Success Hinges on Full Organizational Support

Cybersecurity is the top technology priority for the vast majority of organizations, but moving from aspiration to reality requires a top-to-bottom commitment that many companies have yet to make, according to new research released today by CompTIA, the nonprofit association for the technology industry and workforce. Read Now
- Cybersecurity

Webinars

Hanwha Vision (formerly Hanwha Techwin), Eagle Eye Networks Inc, Salient Systems

Campus Security Today 2024 Virtual Summit
Push-to-Talk over Cellular – The NEXT Revolution
Hanwha Vision (formerly Hanwha Techwin)

Getting Control of your Access

Whitepapers

Allegion

The Current State of School Security
Hytera US Inc.

Push-to-Talk Over Cellular
Winsted Corporation

Sit/Stand Consoles: Helping Increase Productivity

New Products

Connect ONE®

Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3
Compact IP Video Intercom

Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3
A8V MIND

Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

Two NIST Publications Recommend Organization-Wide IT Security Risk Management

Securitas Technology Launches 2025 Global Technology Outlook Report

Mission 500 Unites Security Industry Non-Profits at the 2024 Women in Security & Ally Gala

Genetec Retains World Leader Position in Video Management Software

Securitas Joins AI Pact for Responsible AI Use

16,000 Registrants from 86 Nations Participate in GSX 2024

Security Industry Association Announces Winners for the 2024 James Rothstein Business Scholarship

PureTech Systems Inc. Awarded Major Command and Control Contract by U.S. Government to Enhance National Security