The U.S. National Institute of Standards and Technology establishes standards for a wide range of things. Some of the standards most important to network security are discussed in this section.

NIST SP 800-14

Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems, describes common security principles that should be addressed within security policies. The purpose of this document is to describe 8 principles and 14 practices that can be used to develop security policies. This standard is based on 8 principles, which are:

1. Computer security supports the mission of the organisation.

2. Computer security is an integral element of sound management.

3. Computer security should be cost-effective.

4. System owners have security responsibilities outside their own organisations.

5. Computer security responsibilities and accountability should be made explicit.

6. Computer security requires a comprehensive and integrated approach.

7. Computer security should be periodically reassessed.

8. Computer is security is constrained by societal factors.

NIST SP 800-35

NIST SP 800-35, Guide to Information Technology Security Services, is an overview of information security. In this standard six phases of the IT security life cycle are defined:

• Phase 1: Initiation. At this point the organisation is looking into implementing some IT security service, device, or process.

• Phase 2: Assessment. This phase involves determining and describing the organisation’s current security posture. It is recommended that this phase use quantifiable metrics.

• Phase 3: Solution. This is where various solutions are evaluated and one or more are selected.

• Phase 4: Implementation. In this phase the IT security service, device, or process is implemented.

• Phase 5: Operations. Phase 5 is the ongoing operation and maintenance of the security service, device, or process that was implemented in phase 4.

• Phase 6: Closeout. At some point, whatever was implemented in phase 4 will be concluded. Often this is when a system is replaced by a newer and better system.

NIST SP 800-30 Rev. 1

NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments, is a standard for conducting risk assessments. Risk assessments were discussed in a previous chapter. This standard provides guidance to how to conduct such an assessment. There are nine steps in the process:

STEP 1. System Characterization

STEP 2. Threat Identification

STEP 3. Vulnerability Identification

STEP 4. Control Analysis

STEP 5. Likelihood Determination

STEP 6. Impact Analysis

STEP 7. Risk Determination

STEP 8. Control Recommendations

STEP 9. Results documentation