NIST_ISSCA - National Institute of Standards and Technology...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: National Institute of Standards and Technology 1 Information System Security Control Architecture (ISSCA) Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive; Stop 8930 Gaithersburg, MD 20899 (301) 975-4768 [email protected] fax: (301) 975-4964 National Institute of Standards and Technology 2 Presentation Contents • Background/motivation – System security C&A (historical perspective) – OMB A-130; Appendix III – Federal Information Security Management Act 2002 (FISMA) • NIST FISMA implementation project • ISSCA • Significance of NIST’s activities to the commercial sector----------------------------------------------- • Supporting detail National Institute of Standards and Technology 3 Background/Motivation • NIST’s system security C&A guidance aging (FIPS 102--1983) • OMB A-130Appendix III: Security of Federal Information Resources (1996) • Proliferation of C&A guidance – FIPS 102 (NIST) – DITSCAP (DoD) – NIACAP (NSTISSC/NSS) • Federal Information Security Management Act 2002 (FISMA) National Institute of Standards and Technology 4 OMB A-130, Management of Federal Information Resources • Requires Federal agencies to: – Plan for security – Implement controls commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of information (called adequate security ) – Ensure that appropriate officials are assigned security responsibility – Authorize system processing prior to operations and periodically, thereafter. • Consistent with FISMA National Institute of Standards and Technology 5 Federal Information Security Management Act (FISMA) Title III of E-Government Act of 2002 (Public Law 107-347) National Institute of Standards and Technology 6 FISMA Requirements • Federal agency information security (IS) program requirements • NIST requirements • Others (not to be addressed today) National Institute of Standards and Technology 7 Federal Agency Information Security Programs Must Include (1): • Periodic assessments of the risk • Policies and procedures that are: – Risk-based – Cost-effective – Reduce IS risks to an acceptable level – Ensure IS is addressed throughout the system life cycle • Plans for providing adequate IS for networks, facilities, & information systems (i.e., security planning) • Security awareness training to inform personnel (including contractors and other users of information systems) of the IS risks and their responsibilities National Institute of Standards and Technology 8 Federal Agency Information Security Programs Must Include (2): • Periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices with a frequency depending on risk, but no less than annually • Plans and procedures to ensure continuity of operations • Procedures for detecting, reporting, and responding to security incidents including:...
View Full Document

This note was uploaded on 11/14/2011 for the course COMP 6370 taught by Professor Staff during the Fall '08 term at Auburn University.

Page1 / 85

NIST_ISSCA - National Institute of Standards and Technology...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online