Information Security News: NIST issues security drafts

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.fcw.com/fcw/articles/2003/0922/web-nist-09-22-03.asp

By Diane Frank 
Sept. 22, 2003 

The National Institute of Standards and Technology last week released 
drafts of two security publications to help agencies define the levels 
of security necessary for different types of information systems and 
establish or fine-tune processes for handling security incidents. 

The final draft of Federal Information Processing Standard (FIPS) 199, 
"Standards for Security Categorization of Federal Information and 
Information Systems," [1] is the first step in a series of standards, 
guidelines and requirements mandated under the Federal Information 
Security Management Act (FISMA) of 2002. The standard, released Sept. 
17, outlines ways to link different types of federal information and 
systems, and the risks each faces. NIST will later tie this to 
guidance for the appropriate level of security, depending on the 
assigned level of risk.

The standard focuses on three security areas for information and 
systems: confidentiality, integrity and availability. It then defines 
three levels of potential impact on organizations or individuals if 
any of those security areas are compromised. 

Assigning a level of risk is not a clear-cut process, because it must 
be considered in the context of each agency, states the draft, which 
includes several examples of how to apply the three security areas and 
three impact levels. The document, for instance, discusses the 
difference between a system that needs high availability but holds 
information that needs only low confidentiality measures, and a system 
that can be offline for a period of time, but needs both high 
confidentiality and integrity for its information.

The institute on Sept. 15 released a draft of the Computer Security
Incident Handling Guide (Special Publication 800-61) [2], intended to
help agencies meet a FISMA requirement to establish some level of
incident handling capability and report to the Office of Management
and Budget and the Federal Computer Incident Response Center
(FedCIRC).

Incident Response Centers are receiving a lot of attention now because 
of the number and severity of recent attacks, such as the Blaster worm 
and SoBig.F virus that surfaced last month. Many agencies already have 
such capabilities, but the latest guide is designed to help existing 
and new organizations. 

It outlines best practices within a response center, common policies 
to work with outside partners, and examples of how a response center 
fits within an agency's larger technology and policy structure. 

The guidance is designed for the chief information officers and their 
security staffs, and details sharing information, addressing morale 
issues, the benefits and pitfalls of having an employee-staffed 
response center or one that is partially outsourced, and other issues.

Comments on the draft guidance may be sent to NIST by Oct. 15 at 
IncidentHandlingPub800-61 () nist gov 

[1] http://csrc.nist.gov/publications/drafts/draft-fips-pub-199.pdf
[2] http://csrc.nist.gov/publications/drafts/draft_sp800-61.pdf


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.