Information Technology Reference
In-Depth Information
Appendix D:
Security Management
program Framework
National Institute of Standards and Technology (NIST) standards are available
free of charge at www.nist.gov; the NIST security standards are available at csrc.
nist.gov. The information herein does not intend to duplicate the excellent work
of these standards, but rather use these standards as a basis to develop organiza-
tional-specific tools to use during the planning and execution of a security manage-
ment program (SMP). The same organizational-specific tools may find foundation
in the International Standards Organization (ISO) security standards (e.g., ISO
27002 [formerly ISO 17799]) or other industry security standards. The topic
How
to Achieve ISO 27001 Certification—An Example of Compliance Management
by
Sigurjon Thor Arnason and Keith D. Willett introduces the concept of an SMP
framework. This topic uses the same concept, but uses NIST SP 800-53 as a basis
for the SMP framework.
Table D.2 displays an SMP framework that uses NIST SP 800-53,
Recommended
Security Controls for Federal Information Systems
, as a basis. The abbreviations in the
“Control Reference” column are those used in the NIST standards. The categories
and elements are verbatim from the NIST SP 800-53 standard. The reason for this
is to support the claim that the organization's security program is consistent and
compliant with the NIST standards. If the organization is better served through
compliance with ISO 27002 or in achieving ISO 27001 certification, then use the
ISO standards as a basis for the SMP instead of NIST.
There are many uses and benefits for an SMP framework; these benefits
include:
n
n
A standard outline in which to define organizational security.
A security outline with basis in an industry standard.
415
