ITL Bulletin for June 2004

[InfoSec News <isn () c4i org>]

Forwarded from: Elizabeth Lennon <elizabeth.lennon () nist gov>

ITL BULLETIN FOR JUNE 2004

INFORMATION TECHNOLOGY SECURITY SERVICES: HOW TO SELECT, 
IMPLEMENT, AND MANAGE
Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Technology Administration
U.S. Department of Commerce

Organizations often need expert assistance in maintaining and
improving the security of their information technology (IT) systems.
Whether they get this assistance from internal sources or from
commercial vendors of security services, organizations must review and
evaluate the sources before committing to service agreements. A
carefully managed process can help assure that sound decisions are
made and that system security is strengthened.

Guide to Information Technology Security Services

NIST's Information Technology Laboratory recently published NIST
Special Publication (SP) 800-35, Guide to Information Technology
Security Services, Recommendations of the National Institute of
Standards and Technology, which provides guidance to help
organizations negotiate the many complexities and challenges in
selecting information technology security services. Written by Tim
Grance, Joan Hash, Marc Stevens, Kristofor O'Neal, and Nadya Bartol,
NIST SP 800-35 helps those who are responsible for selecting,
implementing, and managing their organization's IT security services.
NIST recommends that organizations adopt systematic evaluation and
decision processes to guide their selection of IT security services
and to satisfy their security requirements. This ITL Bulletin
summarizes the new IT services selection guide.

The foundation for the selection of IT security services is a
comprehensive information security management program, including risk
management procedures that are applied throughout the System
Development Life Cycle (SDLC). This same process also underlies the
selection of IT security products, the focus of our April 2004 ITL
Bulletin covering NIST SP 800-36, Guide to Selecting Information
Technology Security Products.

NIST SP 800-35 discusses the roles and responsibilities of the people
within an organization who select, implement and manage the security
services life cycle. It provides an overview of the security services
life cycle and describes the issues to be addressed concerning
security services.  Examples of specific services are described. The
appendices include lists of references and acronyms, an outline of a
security services provider agreement, sample acquisition language, and
answers to frequently asked questions.

The services selection guide is available in electronic format from
the NIST Computer Security Resource Center at
http://csrc.nist.gov/publications. When used with other NIST
publications, including those listed in the More Information section
at the end of this bulletin, the guide will help organizations develop
a comprehensive approach to organizing their overall IT security
efforts, managing risks, and using IT security services.

People Responsible For Security Services

The people responsible for selecting, implementing, and managing
services within an organization will vary depending upon the type and
scope of the service needed, the service arrangement, and the size of
the organization.  Larger organizations that use external security
service providers extensively will have different requirements and
more people involved than smaller organizations with more limited
requirements.

The people who may be involved in the process include the following:

* Chief Information Officer, who is responsible for the organization's
IT planning, budgeting, investment, performance, and acquisition;

* Contracting Officer, who has authority to enter into, administer,
and terminate contracts;

* Contracting Officer's Technical Representative, who is appointed by
the Contracting Officer to manage the technical aspects of a
particular contract;

* IT Investment Board (or equivalent), which is responsible for
planning and for managing the capital planning and investment control
process for federal agencies, as specified in the Information
Technology Management Reform Act of 1996 (Clinger-Cohen Act);

* IT Security Program Manager, who is responsible for developing
enterprise standards for IT security, coordinating and performing
system risk analyses, analyzing alternatives for minimizing risks, and
supporting the acquisition of appropriate security solutions;

* IT System Security Officer, who is responsible for ensuring the
security of an information system throughout its life cycle;

* Program Manager, who owns the data, initiates the procurement, is
involved in strategic planning and is aware of functional services
requirements;

* Privacy Officer, who assures that the service and service
arrangement meet privacy policies regarding the protection,
dissemination, and disclosure of information; and/or

* Other participants, who may include the system certifier and
accreditor, system users, and people representing information
technology, configuration management, design, engineering, and
facilities groups.

IT Security Life Cycle

The SDLC provides the framework that enables the IT security decision
makers to organize their IT security efforts-from initiation to
closeout. The systematic management of the IT security services
process fits into this framework. The organization's IT security is
critically dependent upon the careful consideration of the many issues
connected to security services, and to the prudent management of
organizational risks. IT security decision makers must think about the
costs involved and the underlying security requirements, as well as
the potential impact of their decisions on the organizational mission,
operations, strategic functions, personnel, and service provider
arrangements.

The selection, implementation, and management of security services are
included in the following six phases of the IT security life cycle:

* Phase 1: Initiation-the organization determines if it should
investigate whether implementing an IT security service might improve
the effectiveness of the organization's IT security program.

* Phase 2: Assessment-the organization determines the security posture
of the current environment using metrics and identifies the
requirements and viable solutions.

* Phase 3: Solution-decision makers evaluate potential solutions,
develop the business case, and specify the attributes of an acceptable
service arrangement solution from the set of available options.

* Phase 4: Implementation-the organization selects and engages the
service provider, develops a service arrangement, and implements the
solution.

* Phase 5: Operations-the organization ensures operational success by
consistently monitoring service provider and organizational security
performance against identified requirements, periodically evaluating
changes in risks and threats to the organization and ensuring the
organizational security solution is adjusted as necessary to maintain
an acceptable security posture.

* Phase 6: Closeout-the organization ensures a smooth transition as
the service ends or is discontinued.

Security Services:  Issues and Types

The factors to be considered when selecting, implementing, and
managing IT security services include the type of service arrangement;
service provider qualifications, operational requirements and
capabilities, experience, and viability; trustworthiness of service
provider employees;  and the service provider's capability to deliver
adequate protection for the organization systems, applications, and
information. These considerations will apply to some degree to every
service depending on the size, type, complexity, cost, and criticality
of the services being considered and the specific needs of the
organization implementing or contracting for the services.

An effective security program has many layers of protection. Using
risk management procedures, organizations should evaluate the value of
their systems and their information, and then select the security
controls that are appropriate for the determined levels of risk.
Security programs at both the organizational and system levels should
include an appropriate mix of management, operational, and technical
controls. Technical controls alone are not sufficient for robust
security.

Security services can be obtained to assist organizations in
addressing these management, operational, and technical issues:

* Management Services:  Techniques and concerns normally addressed by
management in the organization's information security program,
including managing risks. These services help organizations develop
and maintain their security programs, effectively implement and
evaluate their programs, develop security architectures, and evaluate
IT security products.

* Operational Services:  Services focused on controls implemented and
executed by people, often requiring technical or specialized expertise
and relying on management activities and technical controls. These
services include assistance with contingency planning, the
establishment of incident handling processes, the testing of security
controls, and conducting security training.

* Technical Services:  Services focused on the security controls that
a system executes, and dependent on the proper function of the system
for effectiveness.  These services include firewall installation and
maintenance, intrusion detection systems, and the design and
development of a Public Key Infrastructure (PKI) system.

While not every available security service is discussed in the guide,
the issues and considerations related to the services life cycle are
presented. These issues and considerations should be useful in meeting
current needs and in addressing future needs as technology changes.

NIST Recommendations

NIST recommends that organizations planning to acquire IT security
services should:

* Develop careful, objective business cases. The need for an IT
security service should be supported by the business needs of the
organization. A business case containing an analysis of the proposed
solution, cost estimate, benefits analysis, project risk analysis, and
an evaluation of other considered alternatives should provide
sufficient documentation to describe and support these needs.

* Develop strong, specific service agreements that define the
expectations of performance for each required security control,
describe measurable outcomes, and identify remedies and response
requirements for any identified instances of noncompliance.

* Use metrics throughout the IT security life cycle.  Metrics will
provide the objective data to evaluate the baseline level of service
in the assessment phase and assess service provider performance in the
operations phase. Wherever possible, metrics should be selected to
indicate progress toward the achievement or maintenance of a security
condition that meets an underlying organizational need.

* Develop processes and procedures that can effectively track the
myriad service agreements and the metrics that will be applied
throughout the life cycle of the many different and disparate IT
security services within an organization.

* Ensure that an appropriate transition (bedding in) period is in
place between an existing service provider or capability and the new
service provider.

* Maintain the technical expertise necessary to understand and manage
the security service being provided and to protect the data critical
to an organization's mission.

* Pay careful attention to six issue areas:  strategy/mission,
budget/funding, technology/architecture, organization, personnel, and
policy/process.

More Information

Federal organizations should consult OMB Circular A-76, Performance of
Commercial Activities, for information on establishing the foundation
for decisions concerning whether activities should be performed under
contract with a commercial activity or performed in-house using
government facilities and personnel.

For a complete list of references to publications and web pages with
information that can help you in selecting, implementing, and managing
IT security services, consult Appendix A of NIST SP 800-35.

NIST Special Publications, including the following, are available in
electronic format from the Computer Security Resource Center at
http://csrc.nist.gov/publications.

NIST SP 800-12, An Introduction to Computer Security: The NIST
Handbook, provides guidance on the fundamentals of information system
security and an introduction to the selection of security controls and
services.

NIST SP 800-16, Information Technology Security Training Requirements:
A Role- and Performance-Based Model, explains a framework for IT
security training requirements and emphasizes results-based learning.

NIST SP 800-18, Guide for Developing Security Plans for Information
Technology Systems, discusses developing and updating security plans.

NIST SP 800-23, Guideline to Federal Organizations on Security
Assurance and Acquisition/Use of Tested/Evaluated Products, discusses
the concept of assurance in the acquisition and use of security
products.

NIST SP 800-25, Federal Agency Use of Public Key Technology for
Digital Signatures and Authentication, assists federal agencies in
using PKI for digital signatures and authentication over open
networks.

NIST SP 800-30, Risk Management Guide for Information Technology
Systems, discusses the risk-based approach to security and provides
guidance on conducting risk assessments.

NIST SP 800-31, Intrusion Detection Systems (IDS), and NIST SP 800-41,
Guidelines on Firewalls and Firewall Policy, provide information on
using and deploying IDSs and firewalls.

NIST SP 800-32, Introduction to Public Key Technology and the Federal
PKI Infrastructure, advises federal organizations on how to determine
if a PKI is appropriate for them and how to use PKI services
effectively.

NIST SP 800-33, Underlying Technical Models for Information Technology
Security, provides information on IT security engineering principles
and concepts for IT systems.

NIST SP 800-34, Contingency Planning Guide for Information Technology
Systems, guides organizations in preparing and maintaining IT
contingency plans.

NIST SP 800-36, Guide to Selecting Information Technology Security
Products, helps organizations select cost-effective and useful
products for their IT systems.

NIST SP 800-37, Guide for the Security Certification and Accreditation
of Federal Information Systems, describes the fundamental concepts of
the certification and accreditation processes, and details the various
tasks in the processes.

NIST SP 800-42, Guideline on Network Security Testing, describes
available security testing techniques, their strengths and weaknesses,
and the recommended frequencies for testing as well as strategies for
deploying network security testing.

NIST SP 800-48, Wireless Network Security: 802.11, Bluetooth, and
Handheld Devices, discusses wireless security issues for local area
networks, personal area networks, and handheld devices.

NIST SP 800-50, Building an Information Technology Security Awareness
and Training Program, provides guidelines to help federal
organizations meet their security training responsibilities and build
a comprehensive awareness and training program.

NIST SP 800-53, Recommended Security Controls for Federal Information
Systems, provides information about selecting security controls to
meet the security requirements for the system (available in draft at
http://csrc.nist.gov/publications/drafts.html).

NIST SP 800-55, Security Metrics Guide for Information Technology
Systems, helps organizations understand the importance of using
metrics and developing a metrics program.

NIST SP 800-64, Security Considerations in the Information System
Development Life Cycle, discusses the analysis of system security
requirements and methods for incorporating security into IT
procurements.

Disclaimer
Any mention of commercial products or reference to 
commercial organizations is for information only; it does 
not imply recommendation or endorsement by NIST nor does it 
imply that the products mentioned are necessarily the best 
available for the purpose.


Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 840-1357



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
(Broke? Spend 15 minutes a day on the project!)