Receive industry and products news from the market categories that matter to you most.
Stay up to date on industry news and trends, product announcements and the latest innovations.
NIST Publishes Guide information systems security monitoring.
Press Release Summary:
Oct 25, 2011 - Information Security Continuous Monitoring (ISCM) for Information Systems and Organizations, NIST Special Publication (SP) 800-137, will help organizations understand their security posture against threats and vulnerabilities as well as determine how effectively security controls are working. Publication aims to provide guidance for information security monitoring in all types of information systems, encompassing computer networks as well as other interconnected devices and software.
Original Press Release
NIST Publishes Guide for Monitoring Security in Information Systems
Press release date: Oct 13, 2011
Information Security Continuous Monitoring (ISCM) for Information Systems and Organizations (NIST Special Publication [SP] 800-137) aims to provide guidance for information security monitoring in all types of information systems - a term that encompasses not only computer networks but also a host of other interconnected devices and software. According to Kelley Dempsey, a researcher in NIST's Computer Security Division and one of the authors, the publication is geared toward helping an organization ensure that its security measures are performing as desired over time.
"This is a guide for an organization that has already implemented the first five steps of the NIST Risk Management Framework (RMF) and is ready to move on to the last step, which is developing a systematic way of making sure the previous steps are implemented effectively," says Dempsey. "Our publication can help an organization monitor the security posture of the organization and its systems on an ongoing basis."
Dempsey says SP 800-137 is tightly coupled to two other NIST publications, SP 800-37 and SP 800-39, which describe all the steps in the risk management process. Those previous publications describe risk management and the RMF so that developers are able to determine a system's boundaries, security category and required controls. Once these steps are complete, SP 800-137 can guide an organization's efforts to monitor its system's effectiveness in a customized fashion - something the authors describe as a move from "compliance-driven" to "data-driven" risk management.
"In the end, you don't want to just get some generic to-do checklist and follow its orders - you want to get data from the systems within your organization and respond to it in a way appropriate for your own specific needs," Dempsey says. "We hope this guide will enable users to do that."
Dempsey adds that a major feature of SP 800-137 is a list of criteria to help users determine how frequently to monitor each of the controls in an information system. The list, she says, will help users perceive how often each control is to be checked - a frequency that may be different for each control.
*SP 800-137 is available from NIST's Computer Security Resource Center at csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf, and SP 800-37 and SP 800-39 are available at csrc.nist.gov/ as well.
Don't miss the latest news!