Draft security guidelines released
- By William Jackson
- Aug 24, 2004
The National Institute of Standards and Technology is building a repository for IT security baseline checklists, and has published guidelines for users of and contributors to the collection.
It also has published a guide for conducting forensic investigations on personal digital assistants.
NIST has been tasked with the formidable job of developing security configuration checklists for 'each computer hardware and software system that is, or is likely to become, widely used within the federal government.'
The checklists are intended to simplify what NIST calls the 'complicated, arduous and time-consuming task' of configuring IT products to meet a specific level of security.
More than 40 checklists now are available online at http://checklists.nist.gov
. Most were developed by the Defense Information Systems Agency over the past three years.
The agency released a draft of Special Publication 800-70
, Security Configuration Checklists Program for IT Products to help build its collection of checklists. It provides standards for government, academia and industry for developing and submitting checklists, as well as advice to administrators on how they should be used.
The guidelines defines four environments requiring different levels of security for which checklists should be targeted:
- Small offices and home offices, often containing unmanaged and standalone computers
- Enterprise, usually containing managed networks
- High security, where security takes precedence over functionality because of the risk of attack
- Custom, with specialized systems, such as legacy systems.
Comments on the guidelines can be submitted by Sept. 30 to email@example.com.
Another draft, SP 800-72
, Guidelines on PDA Forensics, offers help to investigators who need to obtain evidence from PDAs. It focuses on the PocketPC operating system from Microsoft Corp., Palm OS and Linux operating systems.
The publication gives guidance to organizations on developing appropriate policies and procedures, and to forensic specialists on dealing with the technology.
Comments on the guidelines can be submitted by Sept. 3 to PDAforensics@nist.gov.
William Jackson is a Maryland-based freelance writer.