NIST Standards
- NIST SP 800 Series:
- 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems (GAPP) – Provides principles and practices for IT security.
- 800-18: Guide for Developing Security Plans for Federal Information Systems – Offers guidance on developing security plans.
- 800-27: Engineering Principles for Information Technology Security (A Baseline for Achieving Security) – Defines security principles and outlines the IT security lifecycle phases:
- Initiation
- Development/Acquisition
- Implementation
- Operation/Maintenance
- Disposal
- 800-88: Guidelines for Media Sanitization – Provides guidelines for preventing data remanence through proper media sanitation and disposal methods.
- 800-122: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) – Defines PII and offers guidance on protecting it.
- 800-137: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations – Describes how to build and implement a continuous monitoring program for information security.
- 800-145: The NIST Definition of Cloud Computing – Provides a definition and characteristics of cloud computing.
FIPS (Federal Information Processing Standards):
- FIPS 199: Standards for Security Categorization of Federal Information and Information Systems – Provides guidelines for categorizing information and systems based on their impact on confidentiality, integrity, and availability.
- FIPS 200: Minimum Security Requirements for Federal Information and Information Systems – Specifies minimum security requirements for federal information systems.
DOD Standards:
- DOD 8510.01: Risk Management Framework for DoD Information Technology (IT) – Establishes the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP), now replaced by the Risk Management Framework (RMF).
ISO Standards:
- ISO 15288: Systems and Software Engineering – System Life Cycle Processes – Covers processes and life cycle stages for systems engineering, including:
- Agreement
- Organization Project-enabling
- Technical Management
- Technical
Summary
- NIST SP 800 Series: Comprehensive guidelines for IT security, covering everything from developing security plans to media sanitization and continuous monitoring.
- FIPS: Standards for categorizing information systems and establishing minimum security requirements.
- DOD 8510.01: Establishes the framework for information assurance within the Department of Defense.
- ISO 15288: Provides international standards for systems engineering processes and life cycle stages.
These standards help organizations establish and maintain robust security practices and ensure compliance with regulatory requirements.
Key concepts
- COPPA (California Online Privacy Protection Act):
- Requires operators of commercial websites collecting personal information from California residents to post a privacy policy.
- Curie Temperature:
- The temperature at which a material’s intrinsic magnetic alignment changes direction.
- Data at Rest (DAR):
- Refers to inactive data physically stored on media, not in RAM. The biggest threat to DAR is data breaches. Protection measures include full disk encryption (e.g., Microsoft BitLocker) and file encryption (e.g., Microsoft EFS) using AES.
- DLP (Data Loss Prevention):
- A strategy to protect sensitive data from leakage or unauthorized access. It uses labels to apply appropriate controls, though it doesn’t modify labels in real-time.
- ECM (Enterprise Content Management):
- A system for centrally managing and controlling an organization’s content and documents.
- Non-Disclosure Agreement (NDA):
- A legal contract that prevents employees from sharing proprietary or confidential information.
- PCI-DSS (Payment Card Industry Data Security Standard):
- A set of security controls and standards designed to protect credit card information and ensure secure transactions.
- Watermark:
- Embedded data used to identify the owner of a file or indicate ownership. It helps in tracking and protecting intellectual property.
These concepts cover various aspects of data security, privacy, and management.