Manage Learn to apply best practices and optimize your operations.

Learn from NIST: Best practices in security program management

Security success means sweating the small stuff, like ensuring proficiency in implementing patches and configuring systems. Security management expert Mike Rothman offers advice on how certain NIST guidelines can help an organization highlight problems within its enterprise security program.

Information security is a hard practice. When nothing happens, it's a good day. Attackers only have to hit the...

jackpot once in order to be successful. Security professionals have to be right every time. No wonder most practitioners continue searching for the "silver bullet," which makes all of the angst and risk go away.

A large portion of effective security practice is reaching a common level of proficiency.
Mike Rothman,

A large portion of effective security practice is reaching a common level of proficiency. Since patching systems in a timely fashion and configuring them in a secure manner increases the likelihood that an organization will remain secure, the U.S. government, after a rash of information security issues, decided the best way to make that happen would be for all agencies to adhere to a certain set of standards to protect their information.

This act of legislation, known as FISMA, or the Federal Information Security Management Act of 2002, put the job of defining what is right and what each agency needs to do into the hands of the national standards bearers -- namely NIST (the National Institute of Standards and Technology). Thus, NIST has put forth standards and guidelines intended to provide a level of protection for information resources.

Two of NIST's seminal documents are special publication 800-100, the Information Security Handbook: A Guide for Managers (pdf) and special publication 800-53, Recommended Security Controls for Federal Information Systems (pdf). As every security practitioner looks for a leg up on the bad guys, a great way to do that is to take a look at these two documents and figure out whether the guidelines conflict with what currently exists in your organization. What you discover will help define problems that demand critical attention.

The Information Security Handbook (800-100) attempts to define all of the considerations required to protect information. It treats terms such as governance, systems development life cycles, security assessments, risk management, incident response and many others in detail -- in fact, one hundred seventy-six pages of detail. Think of 800-100 as a framework for information security, much like COBIT and/or ISO 27001/2 define the scope of an information security program.

Looking past the dry style and constant references to other NIST documents, the clear message in 800-100 is that security is a broad and complicated discipline that requires a lot of cooperation throughout the entire enterprise. Most already know that, but unfortunately too few organizations practice it.

Practitioners, however, should use some sort of framework to guide their efforts, whether it's ISO 27001, or 800-100 because of a mandate (for U.S. agencies, for instance). When considering a framework, consider the overarching goals of the security organization. If its goals are more modest, such as simply becoming more relevant to the business, then guidelines like those in The Pragmatic CSO may be appropriate (shameless plug).

There are no wrong (or right) answers. There are no rewards for using one approach or framework over another. The only reward for missing something, which results in a breach or incident, is tossing hard work out the window.

The recommended security controls document, 800-53, takes 800-100 down to a practical level by defining the scope of potential security controls, as well as detailing a process to figure out which ones should be implemented. The document clearly states that controls in the absence of a structured program will not be effective, which is absolutely true.

More information on security program management
Learn how penetration testing can help your compliance efforts.

Expert Ed Skoudis discusses whether social engineering tests should be included in penetration testing.

Read about challenges behind operational integration of security and network management.

The controls specified in the appendix of 800-53 are without context, so they aren't particularly useful aside from providing a laundry list of the many controls that exist. What the appendix doesn't (and shouldn't) have is a directive concerning what should be implemented.

The process of defining the control set is simple. It starts by categorizing the data to be protected, then goes through selecting, documenting and implementing the controls. It also presents a closed-loop system of assessing and monitoring the control set to ensure it's accurate.

Overall, even with all the constant churn and change inherent in protecting information, there is certainly some valuable information in NIST's special publications. It wouldn't hurt for most practitioners to go back occasionally and refresh their memories of the theory behind the activities they perform every day.

NIST has a lot of smart people and spends a lot of time trying to figure out what will work for the U.S. Government, so there is bound to be useful information there for enterprises as well. Not everything will be applicable, but a lot will be.

The skilled security professional understands the difference.

About the author:

Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Rothman is also's expert-in-residence on information security management. Get more information about The Pragmatic CSO at, read his blog at, or reach him via e-mail at [email protected]

This was last published in June 2008

Dig Deeper on Government information security management