Product / System Configuration Guidance
Product and system implementation guidance are documents that
recommended security settings for products and systems. The documents
are not meant to replace well-structured security policy or sound
judgment. Furthermore most of the documents do not address site-specific
configuration issues. Care must be taken to address local operational
and policy concerns.
- Government
Security Recommendation Guides
Security Recommendation Guides are documents that contain
recommended security settings for products. The guides are
not meant to replace well-structured security policy or sound
judgment. Furthermore the guides do not address site-specific
configuration issues. Care must be taken when implementing
the guides to address local operational and policy concerns.
The security changes described in the guides only apply to
specifically identified operating systems or architecture components
and should not be applied to any other operating systems or
architecture components.
Guides exist for: Windows 2000 Guides, Windows NT Guides,
Cisco Router Guides, E-mail, Executable Content Guides and
Secure Linux. Check the web site for updates and new offerings.
- Implementation
Guidance
The NIST 800 and 500 Special Publication series is a list
of implementation guidance.
Examples include:
Guidelines on Firewalls and Firewall Policy, Recommendation
for Block Cipher Modes of Operation - Methods and Techniques,
Underlying Technical Models for Information Technology Security,
December 2001, Introduction to Public Key Technology and the
Federal PKI Infrastructure, Intrusion Detection Systems (IDS),
Risk Management Guide for Information Technology Systems, A
Comparison of the Security Requirements for Cryptographic Modules
in FIPS 140-1 and FIPS 140-2, Guidelines on Active Content
and Mobile Code, Engineering Principles for Information Technology
Security (A Baseline for Achieving Security, Security Self-Assessment
Guide for Information Technology Systems, Federal Agency Use
of Public Key Technology for Digital Signatures and Authentication,
Guideline to Federal Organizations on Security Assurance and
Acquisition/Use of Tested/Evaluated Products, Guideline for
Implementing Cryptography in the Federal Government, Mobile
Agent Security, Guide for Developing Security Plans for Information
Technology Systems, Minimum Interoperability Specification
for PKI Components (MISPC), Generally Accepted Principles and
Practices for Securing Information Technology Systems, An Introduction
to Computer Security: The NIST Handbook, and a host of others.
- Implementation
Guidance in Developments
Special Publication 800-45 Guidelines on Electronic Mail
Security, Special Publication 800-40, Procedures for Handling
Security Patches, Special Publication 800-44, Guidelines on
Securing Public Web Servers, Draft Special Publication 800-42,
Guideline on Network Security Testing, Special Publication
800-43, System Administration Guidance for Windows 2000 Professional,
Use of the CVE Vulnerability Naming Scheme Within its Acquired
Products and Information Technology Security Procedures, NIST
Special Publication 800-34, "Contingency Planning Guide for
Information Technology Systems" , Special Publication 800-46,
Security for Telecommuting and Broadband Communications, Special
Publication 800-47, Security Guide for Interconnecting Information
Technology.
- Security
Technical Implementation Guidelines
The Department of Defense has the Information Assurance Support
Environment (IASE) server at DISA. This site contains the latest
copies of Security Technical Implementation Guidance (STIG),
as well as checklists, scripts, and other related security
information. The site is available to organizations having
a .mil or .gov extension.
- IT
Security Metrics
Federal IT security personnel are developing system level
metrics that can be used to assist with GISRA and other IT
reporting requirements. Those metrics are developed from IT
security performance goals and objectives reflected in high
level policies, requirements, laws, regulations and guidance.
Examples include: Clinger Cohen Act, Presidential Decision
Directives 63, Government Information Security Reform Act (GISRA),
OMB Circular A-130, Appendix III, Critical Elements within
NIST Special Publication 800-26, Federal Information Security
Compliance Audit Manual (FISCAM), and the new Draft Special
Publication (800-37) on Federal Certification and Accreditation.
Metrics yield quantitative rather than qualitative information
that increases the objectivity and validity of data. Metrics
should be available or easily collected through interviewing
or by accessing data repositories. IT metrics should be repeatable
in a standard way, at predetermined intervals to identify trends
or identify if changes have resulted in positive corrective
actions. Metrics must support stakeholders and yield information
that supports IA cost-benefit trade-off analysis.
|