NIST issues revised IT security controls
- By Jason Miller
- Dec 22, 2006
Agencies now have updated guidelines for selecting and specifying security controls for all IT systems, including hardware and software such as personal digital assistants and administrative services.
The National Institute of Standards and Technology yesterday released Special Publication 800-53, Revision 1
that details 'broadly developed' approaches to improve federal IT security.
NIST issued SP 800-53 in February 2005 and has to update it every two years. This update lays out
17 minimum security controls agencies must meet, said Ron Ross, NIST's senior computer scientist, earlier this year.
The authors of the document, which included Ross, also said the new version is to be used in conjunction with Federal Information Processing Standard 200, which outlines minimum security requirements for federal information systems.
'The objective of [800-53] is to provide a set of security controls that is sufficiently rich to satisfy the breadth and depth of security requirements levied on information systems,' the document said. '[A]nd that is consistent with and complementary to other established security standards.'
The authors also said 800-53 is intended to be a 'starting point' to determine how much risk an agency can endure on its IT systems.
In addition to SP 800-53, NIST issued a white paper
entitled Managing Enterprise Risk in Today's World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost- Effective Information Security Programs, written by Ross as a complement to the revised publication.
The 18-page paper provides, among other things, an eight-step framework to managing risk to IT systems.
'Managing enterprise risk is a fundamental departure from the risk avoidance approaches used by many organizations in the past,' Ross wrote. 'Risk management recognizes the need to operate in a highly complex and interconnected world using state-of-the-art information technology ' technology that enterprises depend upon to accomplish critical business functions and successfully accomplish corporate-wide missions.'