NIST preps policy plan

The National Institute of Standards and Technology is finalizing a guide designed to help agencies craft a security policy to ward off widespread vulnerabilities associated with Internet use.

While Internet connectivity offers enormous benefits to users it is dangerous for sites with low levels of security according to a draft copy of the guide. The document was written for high- and midlevel managers as well as technical employees. It tackles policies for specific Internet usage such as e-mail and virtual private networking.

Sample policies for each area are tailored to fit data that an agency may determine to have a low medium or high risk of becoming a target of unauthorized users.

Little Previous Guidance

Robert Bagwill a member of NIST's Security Division and the author of the guide said not much material has been published that steers agencies through the decision-making process that is central to designing a security policy.

"There's no workbook that a manager can read the first chapter of and hand it to a technical guy and say `Do this this and this ' " Bagwill said. "Some of this is proactive it's putting up fire extinguishers before you have a fire."

Bagwill also noted that many agencies face dwindling budgets and staffing levels and may be struggling to demonstrate to high-level officials the return on investment from a security policy.

The NIST guide leads agencies through risk profiling which is an analysis of the potential threats to an agency's systems.

Such an analysis should determine how rigorous a security policy the agency should develop which in turn should drive the cost of the security controls needed to meet policy requirements.

The analysis also provides an introduction to various aspects of computer security topics for nontechnical agency employees.

Most Outfits Not Prepared

Richard Power an analyst with San Francisco-based Computer Security Institute said most organizations do not have a computer security policy in place to protect their systems. A joint CSI/FBI study in 1996 found that 57 percent of local state and federal agencies surveyed had not developed policies to secure computer systems.

The final draft of the Internet security policy guide is scheduled to be released in December. Bagwill said comments on the draft have been mostly favorable.

Featured

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/Shutterstock.com)

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected