Product and system implementation guidance are documents that recommended security settings for products and systems. The documents are not meant to replace well-structured security policy or sound judgment. Furthermore most of the documents do not address site-specific configuration issues. Care must be taken to address local operational and policy concerns.
Security Configuration Guides are documents that contain recommended security settings for products. The guides are not meant to replace well-structured security policy or sound judgment. Furthermore the guides do not address site-specific configuration issues. Care must be taken when implementing the guides to address local operational and policy concerns. The security changes described in the guides only apply to specifically identified operating systems or architecture components and should not be applied to any other operating systems or architecture components.
Guides exist for: Applications, Database Servers, Operating Systems, Routers, Switches, VoIP and IP Technology, Vulnerabilities, Web Servers and Browsers, Wireless, and other areas. Check the web site for updates and new offerings.
The NIST 800 and 500 Special Publication series is a list of implementation guidance.
Guidelines on Firewalls and Firewall Policy, Recommendation for Block Cipher Modes of Operation - Methods and Techniques, Underlying Technical Models for Information Technology Security, December 2001, Introduction to Public Key Technology and the Federal PKI Infrastructure, Intrusion Detection Systems (IDS), Risk Management Guide for Information Technology Systems, A Comparison of the Security Requirements for Cryptographic Modules in FIPS 140-1 and FIPS 140-2, Guidelines on Active Content and Mobile Code, Engineering Principles for Information Technology Security (A Baseline for Achieving Security, Security Self-Assessment Guide for Information Technology Systems, Federal Agency Use of Public Key Technology for Digital Signatures and Authentication, Guideline to Federal Organizations on Security Assurance and Acquisition/Use of Tested/Evaluated Products, Guideline for Implementing Cryptography in the Federal Government, Mobile Agent Security, Guide for Developing Security Plans for Information Technology Systems, Minimum Interoperability Specification for PKI Components (MISPC), Generally Accepted Principles and Practices for Securing Information Technology Systems, An Introduction to Computer Security: The NIST Handbook, and a host of others.
Special Publication 800-45 Guidelines on Electronic Mail Security, Special Publication 800-40, Procedures for Handling Security Patches, Special Publication 800-44, Guidelines on Securing Public Web Servers, Draft Special Publication 800-42, Guideline on Network Security Testing, Special Publication 800-43, System Administration Guidance for Windows 2000 Professional, Use of the CVE Vulnerability Naming Scheme Within its Acquired Products and Information Technology Security Procedures, NIST Special Publication 800-34, "Contingency Planning Guide for Information Technology Systems" , Special Publication 800-46, Security for Telecommuting and Broadband Communications, Special Publication 800-47, Security Guide for Interconnecting Information Technology.
The Department of Defense has the Information Assurance Support Environment (IASE) server at DISA. This site contains the latest copies of Security Technical Implementation Guidance (STIG), as well as checklists, scripts, and other related security information. The site is available to organizations having a .mil or .gov extension.
Federal IT security personnel are developing system level metrics that can be used to assist with GISRA and other IT reporting requirements. Those metrics are developed from IT security performance goals and objectives reflected in high level policies, requirements, laws, regulations and guidance. Examples include: Clinger Cohen Act, Presidential Decision Directives 63, Government Information Security Reform Act (GISRA), OMB Circular A-130, Appendix III, Critical Elements within NIST Special Publication 800-26, Federal Information Security Compliance Audit Manual (FISCAM), and the new Draft Special Publication (800-37) on Federal Certification and Accreditation.
Metrics yield quantitative rather than qualitative information that increases the objectivity and validity of data. Metrics should be available or easily collected through interviewing or by accessing data repositories. IT metrics should be repeatable in a standard way, at predetermined intervals to identify trends or identify if changes have resulted in positive corrective actions. Metrics must support stakeholders and yield information that supports IA cost-benefit trade-off analysis.