NIST updates guidelines for measuring information security

New document advises agencies in ensuring secure processes for individual programs.

Guidelines on evaluating information security have been revised to help agencies do a better job of assessing the security of individual IT programs, but at least one observer is questioning how useful the update will prove.

Comment on this article in The Forum.The National Institute of Standards and Technology released the latest revisions to the NIST Special Publication 800 series, which offers research and guidelines to help agencies implement the 2002 Federal Information Security Management Act, last month. SP 8080-55 Revision 1 provides processes for linking information system security to agencies' performance and missions. Those processes are based on the security controls identified in NIST SP 800-53, released in December 2007.

Specifically, the update describes the roles and responsibilities of employees who have a direct interest in information security, and should therefore "work to instill a culture of information security awareness across the organization." These positions include the agency head, chief information officer, senior agency information security officer, program manager or information system owner, and information system security officer. It also provides background on information security performance and measures and defines the types of measures that can be used, recommending that agencies develop a comprehensive risk management program with quantifiable inputs that define benefits and returns and can be used to justify funding requests.

The types of security measures that have the potential to improve program development fall into three categories, according to the document: implementation, effectiveness/efficiency and impact. The focus of information security measures shift as the program matures.

"By using measures to target security investments, these measures can aid organizations in obtaining the best value from available resources," the document stated.

The sections toward the end of the document provide the meat, with recommendations on how to develop and implement information security measures. Agencies should establish general measures that can be implemented as a best practice, according to the document, as well measures specific to a given program or period of time.

A companion to that document, released July 1, explains how to evaluate a network's security controls, risk management processes, and security-related strengths and weaknesses of information systems that support missions and applications.

But the guidelines don't provide enough examples of metrics agencies can use to measure the strength of their security, said Alan Paller, director of research at the SANS Institute, a cybersecurity research and education group. Some of the examples NIST did provide are poor, he said.

"They put in metrics like 'percentage of remote access points used to gain unauthorized access,' and, worst of all, 'percentage of information security employees who have received security training,'" he said. "It's embarrassing that our tax money is spent on … vapid reports like this."

SP 800-55 Revision 1 replaces SP 800-55, which was created five years ago to offer agencies an approach for measuring the effectiveness of security controls, as well as SP 800-80, which also assisted with evaluation of information security practices.

NIST also released in July SP 800-53A, which explains how to evaluate a network's security controls, risk management processes, and security strengths and weaknesses of information systems that support missions and applications.