NIST drafts security buying guides

[InfoSec News <isn () c4i org>]

Forwarded from: Elyn Wollensky <elyn () consect com>

http://www.fcw.com/fcw/articles/2002/1007/web-nist-10-11-02.asp

By Diane Frank 
Oct. 11, 2002

The National Institute of Standards and Technology's Computer Security 
Division has released three new draft guides for agencies on buying 
security technologies and services.

The three draft guides, released Oct. 9, approach security acquisition 
from different directions. All of them are necessary to ensure 
security when implementing an information technology network or 
solution. The guides are available on NIST's Computer Security 
Resource Center site (http://csrc.nist.gov). Comments are due back by 
Nov. 11.

The first, "Special Publication 800-36: Guide to Selecting IT Security 
Products," looks at hardware and software specifically for security 
needs, such as identification and authentication, intrusion detection, 
virus and malicious code protection, and forensics. 

The draft doesn't just focus on the specifications of the products, it 
also recommends how managers should take into account the user 
community, the agency's mission, the ease of use, and the ability to 
get upgrades in the future as part of the acquisition decision. 

The guide also outlines the responsibilities of officials throughout 
an organization in choosing a security product for a network. That 
includes not just the security manager and chief information officer, 
but also the program manager, the contracting officer and the agency's 
IT investment review board. 

Comments can be sent to: sp800-36 () nist gov

The second draft, "Special Publication 800-35: Guide to IT Security 
Services," focuses on evaluating and procuring the many security 
services now available. These range from helping to develop a security 
policy to outsourcing the management of an agency's firewall or 
intrusion detection system.

This guide outlines all of the security services now available, and 
also the different management tools and methods for overseeing 
contracted services. And it takes agencies through the management 
process from the initial selection and evaluation to exit or 
transition from a service provider.

Comments can be sent to: sp800-35 () nist gov

The third draft, "Special Publication 800-4A: Security Considerations 
in Federal Information Technology Procurements," is a more broad-based 
guide, looking at all IT procurements and how to ensure that security 
is considered as a factor in every product, service, system and 
network.

The guide takes agencies through the security considerations at every 
point in the acquisition process, from mission planning and 
acquisition planning to managing and closing the contract. 

Comments can be sent to: sp800-4 () nist gov




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.