Guidance being updated for integrating data security into budgeting process
- By William Jackson
- Jul 15, 2009
Information security should be integrated throughout the technology life cycle, including the budgeting process. To help with that task, the National Institute of Standards and Technology is revising Special Publication 800-65, "Recommendations for Integrating Information Security into the Capital Planning and Investment Control Process."
A draft of SP 800-65 Revision 1 has been released for comment.
“Planning for information security is strategically important to ensure that the investment is adequately funded to satisfy information security requirements and that cost-effective security controls are in place to meet information security requirements and to protect the investment’s information assets,” the NIST guidelines state.
Information security and capital planning have typically been handled by separate teams within agencies, but the Federal Information Security Management Act and other regulations require that the processes be integrated. Capital planning is a process for integrating strategic planning, budgeting, procurement and management of information technology systems, and it should include information security. That planning becomes more important as budgets shrink.
“With increased competition for limited federal budgets, agencies must effectively integrate their information security and capital planning processes,” the guidance states.
The document discusses how considerations such as continuous monitoring, Plans of Action and Milestones, external evaluations, new mandates, evolving threats, and system life cycle requirements can affect capital planning considerations. It also identifies frameworks agencies can use to prioritize security investments and help ensure that security considerations are incorporated into the capital planning process to deliver maximum security and mission value to agencies. That involves making risk- and mission-based assessments of needs.
“Funding and resources are not always available to cover all security needs, therefore considerations must be prioritized to address the most pressing security needs first and to ensure the most effective use of resources,” the guidelines state. “To effectively prioritize security considerations, agencies must identify criteria for prioritization.”
Comments on the draft of SP 800-65 Revision 1 should be sent by Aug. 14 to firstname.lastname@example.org with "Comments SP 800-65Rev1" in the subject line.
William Jackson is freelance writer and the author of the CyberEye blog.