Article

Hitting a home run with NIST security baseline

Shawna McAlearney, News Editor

The National Institute of Standards and Technology (NIST) has updated a guide geared toward achieving a baseline of security that experts say will be effective because it's a realistic implementation.

    Requires Free Membership to View

"Clearly, we live in a time of increased threat to our systems," said Jack Killorin, VP of Global Security for Baltimore-based testing and assessment provider Prometric. "This guideline is designed to assist any organization looking to increase security; its strength is in evaluating the effectiveness of security measures."

Notes Gary Stoneburner, an IT specialist in the security division at NIST who co-authored the guide: "The guideline is meant to show folks the various areas they should look at and help them cover their bases." Among the two dozen recommendations:

  • Clearly delineate the physical and logical security boundaries governed by associated security policies.
  • Identify potential trade-offs between reducing risk and increased costs, and decrease in other aspects of operational effectiveness.
  • Implement tailored system security measures to meet organizational security goals.
  • Protect information while being processed, in transit and in storage.
  • Protect against all likely classes of attacks: passive monitoring, active network attacks, exploitation by insiders, attacks requiring physical access or proximity, and the insertion of backdoors and malicious code during software development and/or distribution.
  • Where possible, base security on open standards for portability and interoperability.
  • Implement layered security and design it to allow for regular adoption of new technology, including a secure and logical technology upgrade process.
  • Assume that external systems are insecure; isolate public access systems from mission critical resources (e.g., data, processes, etc.).
  • Use boundary mechanisms to separate computing systems and network infrastructures.
  • Design and implement audit mechanisms to detect unauthorized use and to support incident investigations.
  • Strive for simplicity.
  • Minimize the system elements to be trusted and implement least privilege.
  • Don't implement unnecessary security mechanisms; each one should support a security service or set of services, and support one or more security goals.
  • Ensure proper security in the shutdown or disposal of a system.
  • Implement security through a combination of measures distributed physically and logically.
  • Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
  • Use unique identities to ensure accountability.

For software designers, the guide recommends establishing a sound security policy as the "foundation" for design and integrating it into the overall system design. Read NIST's IT security guidelines here.

Related Topics: ISO 17799, VIEW ALL TOPICS

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: