US-Behörde veröffentlicht Security-Guide

Die Computer Security Division (CSD) des NIST (National Institute of Standards and Technology) hat Ende Februar einen Report (PDF-Datei, 1815 KByte) publiziert, der beschreibt, welche Maßnahmen US-Behörden zum Schutz ihrer IT ergreifen sollten. Obwohl er also für einen begrenzten Leserkreis geschrrieben wurde, ist der Bericht doch für weitere Kreise interessant, weil die darin enthaltenen Empfehlungen zum Teil auch von Privatunternehmen umgesetzt werden können.

Zum Beispiel definiert das NIST folgende Schritte als vorrangig bei der Implementierung eines IT-Security-Systems:

  • Categorize the information system and the information resident within that system based on a FIPS 199 impact analysis.
  • Select an initial set of security controls (i.e., baseline) for the information system as a starting point based on the FIPS 199 security categorization.
  • Adjust (or tailor) the initial set of security controls based on an assessment of risk and local conditions including organization-specific security requirements, specific threat information, cost-benefit analyses, the availability of compensating controls, or special circumstances.
  • Document the agreed-upon set of security controls in the system security plan including the organization’s justification for any refinements or adjustments to the initial set of controls.
  • Implement the security controls in the information system. For legacy systems, some or all of the security controls selected may already be in place.
  • Assess the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
  • Determine the risk to organizational operations and assets resulting from the planned or continued operation of the information system.
  • Authorize information system processing (or for legacy systems, authorize continued system processing) if the level of risk to the organization’s operations or assets is acceptable.
  • Monitor and assess selected security controls in the information system on a continuous basis including documenting changes to the system, conducting security impact analyses of the associated changes, and reporting the security status of the system to appropriate organizational officials on a regular basis.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.