NIST preps policy plan
The National Institute of Standards and Technology is finalizing a guide designed to help agencies craft a security policy to ward off widespread vulnerabilities associated with Internet use. While Internet connectivity offers enormous benefits to users it is dangerous for sites with low levels of
The National Institute of Standards and Technology is finalizing a guide designed to help agencies craft a security policy to ward off widespread vulnerabilities associated with Internet use.
While Internet connectivity offers enormous benefits to users it is dangerous for sites with low levels of security according to a draft copy of the guide. The document was written for high- and midlevel managers as well as technical employees. It tackles policies for specific Internet usage such as e-mail and virtual private networking.
Sample policies for each area are tailored to fit data that an agency may determine to have a low medium or high risk of becoming a target of unauthorized users.
Little Previous Guidance
Robert Bagwill a member of NIST's Security Division and the author of the guide said not much material has been published that steers agencies through the decision-making process that is central to designing a security policy.
"There's no workbook that a manager can read the first chapter of and hand it to a technical guy and say `Do this this and this ' " Bagwill said. "Some of this is proactive it's putting up fire extinguishers before you have a fire."
Bagwill also noted that many agencies face dwindling budgets and staffing levels and may be struggling to demonstrate to high-level officials the return on investment from a security policy.
The NIST guide leads agencies through risk profiling which is an analysis of the potential threats to an agency's systems.
Such an analysis should determine how rigorous a security policy the agency should develop which in turn should drive the cost of the security controls needed to meet policy requirements.
The analysis also provides an introduction to various aspects of computer security topics for nontechnical agency employees.
Most Outfits Not Prepared
Richard Power an analyst with San Francisco-based Computer Security Institute said most organizations do not have a computer security policy in place to protect their systems. A joint CSI/FBI study in 1996 found that 57 percent of local state and federal agencies surveyed had not developed policies to secure computer systems.
The final draft of the Internet security policy guide is scheduled to be released in December. Bagwill said comments on the draft have been mostly favorable.