Security Management Strategies for the CIOThe National Institute of Standards and Technology (NIST) has updated a guide geared toward achieving a baseline of security that experts say will be effective because it's a realistic implementation.
Requires Free Membership to View
"Clearly, we live in a time of increased threat to our systems," said Jack Killorin, VP of Global Security for Baltimore-based testing and assessment provider Prometric. "This guideline is designed to assist any organization looking to increase security; its strength is in evaluating the effectiveness of security measures."
Notes Gary Stoneburner, an IT specialist in the security division at NIST who co-authored the guide: "The guideline is meant to show folks the various areas they should look at and help them cover their bases." Among the two dozen recommendations:
- Clearly delineate the physical and logical security boundaries governed by associated security policies.
- Identify potential trade-offs between reducing risk and increased costs, and decrease in other aspects of operational effectiveness.
- Implement tailored system security measures to meet organizational security goals.
- Protect information while being processed, in transit and in storage.
- Protect against all likely classes of attacks: passive monitoring, active network attacks, exploitation by insiders, attacks requiring physical access or proximity, and the insertion of backdoors and malicious code during software development and/or distribution.
- Where possible, base security on open standards for portability and interoperability.
- Implement layered security and design it to allow for regular adoption of new technology, including a secure and logical technology upgrade process.
- Assume that external systems are insecure; isolate public access systems from mission critical resources (e.g., data, processes, etc.).
- Use boundary mechanisms to separate computing systems and network infrastructures.
- Design and implement audit mechanisms to detect unauthorized use and to support incident investigations.
- Strive for simplicity.
- Minimize the system elements to be trusted and implement least privilege.
- Don't implement unnecessary security mechanisms; each one should support a security service or set of services, and support one or more security goals.
- Ensure proper security in the shutdown or disposal of a system.
- Implement security through a combination of measures distributed physically and logically.
- Authenticate users and processes to ensure appropriate access control decisions both within and across domains.
- Use unique identities to ensure accountability.
For software designers, the guide recommends establishing a sound security policy as the "foundation" for design and integrating it into the overall system design. Read NIST's IT security guidelines here.
Join the conversationComment
Share
Comments
Results
Contribute to the conversation