NIST tool analyzes security
- By Diane Frank
- Mar 13, 2001
"Self-Assessment Guide for Information Technology Systems"
The National Institute of Standards and Technology released draft guidance
last week for agencies that are attempting to perform self-assessments of
their information security programs.
The draft Self-Assessment Guide for Information Technology Systems is
a questionnaire that builds upon the Federal IT Security Assessment Framework,
which was developed by NIST and issued by the Chief Information Officers
Council in November 2000.
To comply with the new Government Information Security Reform Act, the
Office of Management and Budget directed agencies to use the framework as
one of many tools to use when managing security policies. The framework
helps agencies measure their security programs' status against five levels.
The draft guidance provides specifics on how to go about performing
those measurements and is intended to give agencies specific steps to improve
The questionnaire itself, which covers 17 control areas within a complete, security program, is designed to provide results that will enable agencies
to determine where a system's security program needs improvement. Agency
officials would scan marked columns in the questionnaire to analyze the
specific controls that need to be documented, implemented, tested and integrated
into the life cycle of a system.
Questions are in areas of management controls, operational controls
and technical controls, and delve deeper with more than 200 specific questions.
Once agency officials complete the questionnaire, it provides guidance on
how to analyze and use the results.
Comments on the draft are due back to Marianne Swanson at NIST by April
9 at email@example.com.