NIST preps policy plan

The National Institute of Standards and Technology is finalizing a guide designed to help agencies craft a security policy to ward off widespread vulnerabilities associated with Internet use.

While Internet connectivity offers enormous benefits to users it is dangerous for sites with low levels of security according to a draft copy of the guide. The document was written for high- and midlevel managers as well as technical employees. It tackles policies for specific Internet usage such as e-mail and virtual private networking.

Sample policies for each area are tailored to fit data that an agency may determine to have a low medium or high risk of becoming a target of unauthorized users.

Little Previous Guidance

Robert Bagwill a member of NIST's Security Division and the author of the guide said not much material has been published that steers agencies through the decision-making process that is central to designing a security policy.

"There's no workbook that a manager can read the first chapter of and hand it to a technical guy and say `Do this this and this ' " Bagwill said. "Some of this is proactive it's putting up fire extinguishers before you have a fire."

Bagwill also noted that many agencies face dwindling budgets and staffing levels and may be struggling to demonstrate to high-level officials the return on investment from a security policy.

The NIST guide leads agencies through risk profiling which is an analysis of the potential threats to an agency's systems.

Such an analysis should determine how rigorous a security policy the agency should develop which in turn should drive the cost of the security controls needed to meet policy requirements.

The analysis also provides an introduction to various aspects of computer security topics for nontechnical agency employees.

Most Outfits Not Prepared

Richard Power an analyst with San Francisco-based Computer Security Institute said most organizations do not have a computer security policy in place to protect their systems. A joint CSI/FBI study in 1996 found that 57 percent of local state and federal agencies surveyed had not developed policies to secure computer systems.

The final draft of the Internet security policy guide is scheduled to be released in December. Bagwill said comments on the draft have been mostly favorable.

Featured

  • IT Modernization
    Eisenhower Executive Office Building (Image: Wikimedia Commons)

    OMB's user guide to the MGT Act

    The Office of Management and Budget is working on a rules-of-the-road document to cover how agencies can seek and use funds under the MGT Act.

  • global network (Pushish Images/Shutterstock.com)

    As others see us -- a few surprises

    A recent dinner with civil servants from Asia delivered some interesting insights, Steve Kelman writes.

  • FCW Perspectives
    cloud (Singkham/Shutterstock.com)

    A smarter approach to cloud

    Advances in cloud technology are shifting the focus toward choosing the right tool for the job and crafting solutions that truly modernize systems.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.