Implementation of the process approach to managing risks of information security in the NIST documents
DOI:
https://doi.org/10.20535/2411-1031.2017.5.2.136970Keywords:
Methodical documents, cyber security, information security risks, process approach, risk management, standards, special publications, NIST.Abstract
The methodological foundations of activity of the National Institute of Standards and Technology of the United States (NIST) are explored. The focus is on the process approach to developing recommendations, manuals, guidelines, framework documents. The principles established by such documents direct the activities of organizations to manage information security risks. In this article analyzes methodical documents on information security, cyber security and computer security aimed to help select a set of security control measures. In particular, this analysis relates to such stages of work of the protection of information. First, the classification of information and information systems. Secondly, the application of the basic rules relating to organizational measures for information protection. Thirdly, it is the implementation of selective control measures of protection, which are appropriate and adequate to a certain information system. The explored methodical documents NIST provides practical advices to specialists in information protection for decrease the risks of information security. The use of the methodical documents NIST in the United States is mandatory for government agencies and organizations. The security system developed on their basis is aimed at reducing the security risks of information and information systems for any organizations, and not only the state form of ownership. The proposed basic protection measures can be adapted for practical application with minor modifications. Creating an effective, individual, integrated system of information security is an important task, which is based on the process of managing information security risks. The security system will save both the profitability of the organization and its reputation by reducing the risks of information security.
References
Budget and Presidential Materials, Compilation of Presidential Documents, Office of the Federal Register, National Archives and Records Administration, Donald J. Trump (May 11, 2017). DCPD-201700327. Executive Order 13800. Strengthening the cybersecurity of federal networks and critical infrastructure. [Online]. Available: https://www.gpo.gov/fdsys/ pkg/dcpd-201700327/pdf/dcpd-201700327.pdf. Accessed on: July 03, 2017.
National Institute of Standards and Technology. DRAFT NISTIR 8170 The Cybersecurity Framework. Implementation Guidance for Federal Agencies. Matt Barrett, Jeff Marron, Victoria Yan Pillitteri, Jon Boyens, Greg Witte, and Larry Feldman. [Online]. Available: http://csrc.nist.gov/publications/drafts/nistir-8170/nistir8170-draft.pdf. Accessed on: July 03, 2017.
V.A. Romaka, V.B. Dudykevych, Yu.R. Herasym, P.I. Haraniuk, and I.O. Kozliuk, Information security management systems. Lviv, Ukraine: Publisher Lviv Polytechnic, 2012.
International Organization for Standardization. ISO 9000 Introduction and Support Package: Guidance on the Concept and Use of the Process Approach for management systems. Document: ISO/TC 176/SC 2/N 544R3. ISO, 2008 [Online]. Available: http://www.iso.org. Accessed on: July 03, 2017.
Іnstitute for Standardization of the French Republic. Final draft international standard ISO/FDIS 9001:2015(E). Quality management systems. Requirements [Online]. Available: http://www.afnor.fr. Accessed on: July 03, 2017.
International Organization for Standardization. ISO 9001:2015. ISBN 978-92-67-10648-9. ISO Central Secretariat, Chemin de Blandonnet 8 Case Postale 401, CH – 1214 Vernier, Geneva, Switzerland, ISO, 2015 [Online]. Available: http://www.iso.org. Accessed on: July 03, 2017.
International Organization for Standardization. Moving from ISO 9001:2008 to ISO 9001:2015. ISO Central Secretariat, Chemin de Blandonnet 8 Case Postale 401, CH – 1214 Vernier, Geneva, Switzerland, ISO, 2015 [Online]. Available: http://www.iso.org. Accessed on: July 03, 2017.
International Organization for Standardization. Quality management principles. ISBN 978-92-67-10650-2. ISO Central Secretariat, Chemin de Blandonnet 8 Case Postale 401, CH – 1214 Vernier, Geneva, Switzerland, ISO, 2015 [Online]. Available: http://www.iso.org. Accessed on: July 03, 2017.
International Organization for Standardization. ISO 9001:2015 Quality management systems. Requirements [Online]. Available: http://www.iso.org. Accessed on: July 03, 2017.
Library of the US Congress. Federal Information Security Modernization Act of 2014, Pub. L. 107-347 (Title III), 116 Stat 2946. [Online]. Available: https://www.gpo.gov/fdsys/pkg/ PLAW-113publ283/pdf/PLAW-113publ283.pdf. Accessed on: July 03, 2017.
Library of the US Congress. Federal Information Security Management Act of 2002, Pub. L. 107-347 (Title III), 116 Stat 2946. [Online]. Available: https://www.gpo.gov/fdsys/pkg/ PLAW-107publ347/pdf/PLAW-107publ347.pdf. Accessed on: July 03, 2017.
National Institute of Standards and Technology. NIST Special Publication. [Online]. Available: http://csrc.nist.gov/publications/PubsSPs.html. Accessed on: July 03, 2017.
National Institute of Standards and Technology. Federal Information Processing Standards (FIPS). [Online]. Available: http://csrc.nist.gov/publications/PubsFIPS.html. Accessed on: July 03, 2017.
National Institute of Standards and Technology. Computer Security Division. Information Technology Laboratory. Risk Management Framework. [Online]. Available: http://csrc.nist.gov/groups/SMA/fisma/Risk-Management-Framework/index.html. Accessed on: July 03, 2017.
National Institute of Standards and Technology. NIST Risk Management Framework. Categorize Step – System Perspective. Draft. [Online]. Available: https://csrc.nist.gov/CSRC/media/Projects/Risk-Management/documents/categorize/QSG_categorize- system-perspective.pdf. Accessed on: July 03, 2017.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2020 Collection "Information technology and security"
This work is licensed under a Creative Commons Attribution 4.0 International License.
The authors that are published in this collection, agree to the following terms:
- The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
- The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
- Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).
