NIST preps policy plan

The National Institute of Standards and Technology is finalizing a guide designed to help agencies craft a security policy to ward off widespread vulnerabilities associated with Internet use.

While Internet connectivity offers enormous benefits to users it is dangerous for sites with low levels of security according to a draft copy of the guide. The document was written for high- and midlevel managers as well as technical employees. It tackles policies for specific Internet usage such as e-mail and virtual private networking.

Sample policies for each area are tailored to fit data that an agency may determine to have a low medium or high risk of becoming a target of unauthorized users.

Little Previous Guidance

Robert Bagwill a member of NIST's Security Division and the author of the guide said not much material has been published that steers agencies through the decision-making process that is central to designing a security policy.

"There's no workbook that a manager can read the first chapter of and hand it to a technical guy and say `Do this this and this ' " Bagwill said. "Some of this is proactive it's putting up fire extinguishers before you have a fire."

Bagwill also noted that many agencies face dwindling budgets and staffing levels and may be struggling to demonstrate to high-level officials the return on investment from a security policy.

The NIST guide leads agencies through risk profiling which is an analysis of the potential threats to an agency's systems.

Such an analysis should determine how rigorous a security policy the agency should develop which in turn should drive the cost of the security controls needed to meet policy requirements.

The analysis also provides an introduction to various aspects of computer security topics for nontechnical agency employees.

Most Outfits Not Prepared

Richard Power an analyst with San Francisco-based Computer Security Institute said most organizations do not have a computer security policy in place to protect their systems. A joint CSI/FBI study in 1996 found that 57 percent of local state and federal agencies surveyed had not developed policies to secure computer systems.

The final draft of the Internet security policy guide is scheduled to be released in December. Bagwill said comments on the draft have been mostly favorable.

Featured

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.