Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

NIST Updating Catalog of Controls

From: InfoSec News <alerts () infosecnews org>
Date: Thu, 1 Mar 2012 03:35:37 -0600 (CST)
http://www.bankinfosecurity.com/articles.php?art_id=4541

By Eric Chabrow
Bank Info Security
February 29, 2012
More than a year in the making, the National Institute of Standards and Technology issued Feb. 28 an initial public draft updating one of its premier special publications, SP 800-53: Security and Privacy Controls for the Federal Information Systems and organizations, which incorporates expanded privacy controls and addresses new threats that were unheard of when NIST issued revision 3 in 2009.
"The past year, we've taken a thorough scrub at that catalog and we have been able to add a significant number of new controls and enhancements that deal with some of the challenges we have had, and the new technologies that we're routinely using, like mobile and cloud," says Ron Ross, NIST fellow and leader of the institute's Federal Information Security Management Act implementation project.
NIST added the word privacy to the title of the draft guidance, its fourth revision, unveiled at RSA Conference 2012 in San Francisco, because it expands the number of privacy controls to the framework that federal agencies use to protect their information and information systems. "Privacy and security are complementary, so we decided to combine them in SP 800-53," Ross says.
The draft revision also provides controls to handle insider threats, supply chain risk, cloud computing technologies and other cybersecurity challenges as well as application security, firmware integrity, distributed systems and advanced persistent threat. "The changes we propose in revision 4 are directly linked to the current state of the threat space - the capabilities, intentions and targeting activities of adversaries - and analysis of attack data over time," Ross says. 

[...]


______________________________________________________________________________
CISSP and CEH training with Expanding Security is the fastest, easiest way
to grock the relevant data you need now.   A free class invite is in every
PainPill.  Sign up for the free weekly PainPill.  It's that easy.
http://www.expandingsecurity.com/PainPill
Previous By Date Next
Previous By Thread Next

Current thread: