A Brief Summary On Information Security Handbook A Guide For Managers
Information security has become a recognized business activity today. Every professional in the organization understand the importance of protecting the resources and information. Though they aware about the importance, still there is a gap in the resources. This is because of the of the lack of knowledge of the information security. Hence, we are going to summarize the NIST special publication called Information Security Handbook: A Guide For Managers.
This publication includes the overview of the elements of the information security program to support the security professionals in understanding how to create and implement the information security program. Nearly, entire topics of this document have been discussed in our various blogs, here we presented a brief overview and links to the corresponding blogs.
Information Security Governance
Information security, an essential function in the organization needs to be handled and governed properly to reduce the risk of the organization’s operations. It is also essential to ensure the ability of the organization to perform business effectively. Information security governance guarantees that the enterprises are proactively applying the proper information security controls in order to support their missions while handling the evolving risks in the security.
To explore more about the information security governance, read the blog, NIST SP 800 100 Information Security Governance. This blog has covered the major concepts of the information security governance such as:
Information Security Governance Components
Information Security Governance Challenges and Keys to Success
System Development Life Cycle
The system development life cycle walks through the entire process of constructing, implementing as well as a retiring information system via a multi-step process such as:
Security Activities In The SDLC
Initiation Phase comprises activities like Needs Determination, Security Categorization, and Preliminary Risk Assessment
Development/Acquisition Phase comprises activities like Requirements Analysis/ Development, Risk Assessment, Cost Considerations and Reporting, Security Planning, Security Control Development, Developmental Security Test and Evaluation, and Other Planning Components
Implementation Phase comprises activities like Security Test and Evaluation, Inspection and Acceptance, System Integration/ Installation, Security Certification, and Security Accreditation.
Operations/Maintenance Phase comprises activities like Configuration Management and Control, and Continuous Monitoring.
Disposal Phase comprises activities like Information Preservation, Media Sanitization and Hardware and Software Disposal.
Awareness And Training
Awareness and training regarding information security are one of the important critical components. When it comes to the total security solution, organizations should not overstate the importance of the employees in attaining security goals and the training as a countermeasure for security threats. The security awareness & training program is the important components in the information security program. Establishing as well as maintaining a relevant and robust information security awareness & training program in addition to the other information security program provide the workforce with the details & tools required to protect the vital information resources of the organization.
To know more about this section, go through the blog, NIST SP 800 – 100 – Awareness And Training. The blog covers concepts like
Awareness & Training Policy
Components: Awareness, Training, Education, and Certification
Designing, Developing, and Implementing an Awareness and Training Program
Capital Planning And Investment Control
The rising competition for the limited budgets as well as resources requires the organization allocates existing funding toward their information security investments, which holds the highest priority. This can be obtained via a formal enterprise CPIC (Capital Planning and Investment Control) process to enable and control the outlay of organization funds. FISMA (Federal Information Security Management Act) and other available federal regulations charge the organization with incorporating security activities & the capital planning as well as investment control process.
A system interconnection is nothing but a direct connection of the two or more information systems for the purpose of sharing data & other information resources. Enterprise prefers to interconnect their system for various reasons, according to their organizational requirements.
Life-Cycle Management Approach
The life-cycle approach for the system interconnection includes four phases:
Planning the Interconnection;
Establishing the Interconnection;
Maintaining the Interconnection;
Disconnecting the Interconnection
Planning The Interconnection
Participating enterprises perform preliminary actions and analyze entire relevant security, technical and administrative problems. The following diagram depicts the steps involved in planning the interconnection phase:
Establishing the Interconnection
Once the interconnection activities are planned & approved, the interconnection can be established. The steps recommended for this phase are illustrated below:
Maintaining The Interconnection
The participating enterprise must maintain the interconnection, once it is established in order to guarantee that it functions securely and properly. Sample activities recommended during this phase are:
Maintain the equipment
Analyze audit logs
Manage user profiles
Maintain system security plans
Conduct security reviews
Disconnecting The Interconnection
Disconnection may be planned or happen due to an emergency.
Performance measures program of an organization includes a myriad of benefits in terms of financial and organizational. Enterprises can create information security metrics, which measures the security program effectiveness and offer data to be evaluated. With the metrics to target the investment of the security, an organization can receive the best of their existing resources.
To know more about the performance measures, go through the blog, NIST SP-800-100 – Performance Measures.
Security Planning is important to receive an overview of the security needs of the system as well as a description of the controls existing or planned for satisfying those needs. The purpose of this plan is to offer an overview of the system’s security requirements and describes the controls for satisfying those requirements. The system security plan assigns the responsibilities and desired behavior of entire individuals who use the system.
The blog, NIST SP-800-100 – Security Planning And Contingency Planning provides an overview of the security planning. The blog covers
Security Planning Roles and Responsibilities
System Security Plan Approval
Security Control Selection
Completion and Approval Dates
Ongoing System Security Plan Maintenance
Information Technology Contingency Planning
Information technology contingency planning is an essential process for developing GSS (General Support Systems) and MA (Major Applications) with corresponding backup methods & procedures for applying data recovery as well as reconstitution against Information Technology risks.
The blog, NIST SP-800-100 – Security Planning And Contingency Planning also talks about the contingency planning.
An effective risk management is an essential component of the successful security program. The main aims of the risk management process of an organization are to protect the enterprise & its competency to perform its missions.
For more details of the risk management, view the blog, NIST SP-800-100 – Risk Management And Security Certification Process. The blog includes the detailed information of the risk assessment, risk mitigation, and evaluation & assessment.
Certification, Accreditation, And Security Assessments
The essential activities which support the risk management process are the certification and accreditation. Security certification is defined as the comprehensive assessment of the operational, management and technical controls in terms of security in the system, created in support of the security accreditations, to identify the level to which the security controls are applied properly, functioning intended and providing the desired result to satisfy the security needs.
The blog, NIST SP-800-100 – Risk Management And Security Certification Process covers the brief overview of these essential activities.
Security Services And Products Acquisition
Information security products and services remain as the important elements of the enterprise information security program. The Organization chooses the security products and services available in the market and uses it in the entire program to handle the design, development & maintenance of its security infrastructure and to defend its mission-critical details.
Read NIST SP 800-100 – Security Services And Products Acquisitions blog, to aware more about the security services and products acquisitions. The blog walks through
Information Security Services Life Cycle
Selecting Information Security Services
Selecting Information Security Products
Security Checklists for IT Products
Organizational Conflict of Interest
The organization today wants to analyze the risk to their system and take proper measures to reduce its influence to the acceptable level. They also need to possess a well-defined incident response capability to detect the incidents rapidly, reduce destruction and loss, determine weakness and restore IT operations rapidly.
The blog, NIST SP-100-80- Incident Response And Configuration Management cover the outline of the incident response phases.
The objective of the configuration management is to handle the impacts of difference/changes in the configuration of the information system. CM supports to remove the risks of problems, confusion, and unwanted spending.
Configuration Management is discussed more in the blog, NIST SP-100-80- Incident Response And Configuration Management.
Hope, the details provided in this blog and its associated blogs inform the information security professionals about the various factors of the information security, which they will be likely to implement & supervise in their corresponding enterprise.