Most of my career has been spent supporting military customers, but my current work has me supporting a non-DoD customer. Although I've been exposed to NIST Special Publications before (and even blogged about them), I find myself getting intimately acquainted with some of these publications. In particular, I've been going through SP 800-53 with a fine-toothed comb, with additional attention to SP 800-37 and SP 800-53A. (I'll probably wind up going through SP 800-30 as well.)
To some degree, the NIST Risk Management Framework outlined in these documents mirrors the DoD's DIACAP framework, the idea being that system administrators can ensure the confidentiality, integrity, and availability of their data by implementing a set of standard security controls based upon the criticality of the network and the sensitivity of the data it's processing. The system can then be reassessed as necessary. It's a pretty standard concept, but I'm enjoying learning the ins and outs of it, to include going through the security controls with a fine-toothed comb.
Some organizations would do well to implement a system similar to the DoD's DIACAP system; for most organizations, however, the NIST Risk Management Framework is a more realistic option, particularly if a responsible cost/benefit analysis precludes said organization from investing in the infrastructure and manpower required to meticulously document and monitor every last item in excruciating detail.
No comments:
Post a Comment