SMARTER STRATEGIES

NIST Tackles IT Security Conundrums

R. Colin Johnson | Date: 02-07-11 | Comments

The National Institute of Standards and Technology is tackling computer security, promising an official three-tiered risk-management approach that spans the highest levels of management to the individual algorithms.

The National Institute of Standards and Technology is currently presenting two draft documents for organizationwide IT security risk management, aiming to provide the foundation for a tiered regime that provides the guidelines mandated by the Federal Information Security Management Act (FISMA). Aimed at upper-level management, but covering all levels of deployment, the documents seeks to convey an understanding of the latest information security components by which chief information officers (CIOs), security specialists and system owners can secure mission-critical IT functions.

The document, called the "Integrated Enterprise-Wide Risk Management: Organization, Mission, and Information System View" (Special Publication 800-39), is available for public comments and can be downloaded here. This capstone document applies a comprehensive new strategy for how enterprises should best manage their security risks and vulnerabilities.

A three-tiered security risk management approach keeps managers abreast of information they need to make real-time risk-based decisions.

Instead of managing security risk "using a tactical, system-by-system approach, this new framework suggests a three-tiered risk management approach that moves from organization to missions to information systems," said Ron Ross, NIST fellow and FISMA implementation project leader. "The goal is for senior leaders and executives to manage risks strategically and drive investment and operational decisions based on the organization's core missions and business functions."

Ross claims the strategic orientation is necessary to confront persistent threats to degrade or debilitate mission-critical applications and operations within the federal government and its contractors. The current publication has already been through three revisions by members of the Joint Task Force Transformation Initiative, a partnership between the Department of Defense, the Intelligence Community, NIST and the Committee on National Security Systems. Once approved and published in its final version later in 2011, the current SP 800-39 publication will replace the existing Risk Management Guide for Information Technology Systems (SP 800-30).

Automated direct data gathering provides continuous monitoring, targeting all domains of security-risk assessment.

Also available for public comment is a second guide to implementing continuous monitoring strategies that manage computer security risk covering details of each of the three levels: organization level, mission/business level and system level. The overall strategy maintains real-time security situation awareness aimed at ensuring that practices match an organization's tolerance for risk with the accurate, up-to-date information needed for management to make timely decisions. The "Information Security Continuous Monitoring for Federal Information Systems and Organizations" (Special Publication 800-137) is available for public comment here.

The three tiers encourage a holistic approach to risk management with continuous monitoring of the measures and metrics needed to accurately assess threats in order to adjust monitoring frequencies as well as facilitate the review and analysis of related responses to real-time information security risks.