NIST revises guidelines for IT security metrics

[InfoSec News <alerts () infosecnews org>]

http://www.gcn.com/online/vol1_no1/46698-1.html

By William Jackson
GCN.com
07/22/08

The National Institute of Standards and Technology has released a 
revised version of guidelines for developing metrics to ensure that 
agencies meet information technology security requirements.

Special Publication 800-55, Revision 1 [1], titled "Performance 
Measurement Guide for Information Security," is intended to assist 
agencies in developing, selecting and implementing security measures 
used at the IT system and program levels. It uses security controls 
identified in NIST SP 800-53, "Recommended Security Controls for Federal 
Information Systems," as a basis for developing metrics that support the 
evaluation of IT security programs. The original version of SP 800-55 
was published in 2003.

Requirements for securing and evaluating IT systems are included in a 
number of laws, including the Clinger-Cohen Act, the Government 
Performance and Results Act, the Government Paperwork Elimination Act 
and the Federal Information Security Management Act. However, the laws 
do not specify how agencies are to conduct the evaluations, so the NIST 
document provides the necessary guidance. 

[1] http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf

[...]


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com