The National Institute of Standards and Technology (NIST) has updated a guide geared toward achieving a baseline of security that experts say will be effective because it's a realistic implementation.
"Clearly, we live in a time of increased threat to our systems," said Jack Killorin, VP of Global Security for Baltimore-based testing and assessment provider Prometric. "This guideline is designed to assist any organization looking to increase security; its strength is in evaluating the effectiveness of security measures."
Notes Gary Stoneburner, an IT specialist in the security division at NIST who co-authored the guide: "The guideline is meant to show folks the various areas they should look at and help them cover their bases." Among the two dozen recommendations:
- Clearly delineate the physical and logical security boundaries governed by associated security policies.
- Identify potential trade-offs between reducing risk and increased costs, and decrease in other aspects of operational effectiveness.
- Implement tailored system security measures to meet organizational security goals.
- Protect information while being processed, in transit and in storage.
- Protect against all likely classes of attacks: passive monitoring, active network attacks, exploitation by insiders, attacks requiring physical access or proximity, and the insertion of backdoors and malicious code during software development and/or distribution.
- Where possible, base security on open standards for portability and interoperability.
- Implement layered security and design it to allow for regular adoption of new technology, including a secure and logical technology upgrade process.
- Assume that external systems are insecure; isolate public access systems from mission critical resources (e.g., data, processes, etc.).
- Use boundary mechanisms to separate computing systems and network infrastructures.
- Design and implement audit mechanisms to detect unauthorized use and to support incident investigations.
- Strive for simplicity.
- Minimize the system elements to be trusted and implement least privilege.
- Don't implement unnecessary security mechanisms; each one should support a security service or set of services, and support one or more security goals.
- Ensure proper security in the shutdown or disposal of a system.
- Implement security through a combination of measures distributed physically and logically.
- Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
- Use unique identities to ensure accountability.
For software designers, the guide recommends establishing a sound security policy as the "foundation" for design and integrating it into the overall system design. Read NIST's IT security guidelines here.