Rules and guidance for security, integrity, and confidentiality of information and operations, including privacy guidelines that indicate broad-reaching data management practices.
A substantive presentation describing definition, souring, application, interpretation, testing, cost effectiveness, calibration, and use of security measurement in a risk context. The presentation also provides insights on related concepts, such as st ...
ISO 27001 builds on BS 7799 with much more guidance on information security measurement and metrics. This paper complements the ISO/IEC standard for information security management systems by exploring: 1) security measurement objectives, 2) what security ...
Guidance on building information security plans, compliant with ISO 13335 risk management standard and compatible with ISO 27001.
The MetricsCenter is a for-pay service dedicated to providing accessible and mathematically sound security metrics design, derivation, and delivery services to Information Security practitioners. Rigorous quantitative analysis is required to free secur ...
The draft Federal Information Processing Standard (FIPS)180-4 is a proposed revision of FIPS 180-3. Draft FIPS 180-4 adds a general procedure for creating an initialization hash value and two additional secure hash algorithms: SHA-512/224 and SHA-512/256, ...
This document includes most of the current terms & definitions used in NIST information security publications and those in the CNSS Instruction # 4009 (Glossary of Information Assurance terms). The document is meant to be a reference for Federal gover ...
This document supports the development, selection, and implementation of measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting inf ...
A broad overview of information security program elements to assist US federal agency managers in understanding how to establish and implement an information security program.
US federal standard describing technologies and features of SSL VPNs, how SSL fits within the context of layered network security, and a phased approach to SSL VPN planning and implementation.
US federal guideline describing three types of solutions: full disk encryption, volume and virtual disk encryption, and file/folder encryption. Recommendations for implementing and using each type.
US federal standard for installing, configuring, and maintaining secure servers
NIST Special Publication 800-125 discusses security concerns associated with full virtualization technologies for server and desktop systems, and gives recommendations for addressing these concerns.
SCAP consists of a suite of specifications for standardizing the format and nomenclature by which security software communicates information about software flaws and security configurations. SP 800-126 defines and explains SCAP version 1.1, including the ...
NIST SP 800-144 provides an overview of the security and privacy challenges for public cloud computing and gives recommendations that organizations should consider when outsourcing data, applications, and infrastructure to a public cloud environment. ...
This publication provides recommendations for using two vulnerability naming schemes: Common Vulnerabilities and Exposures (CVE) and Common Configuration Enumeration (CCE). SP 800-51 Revision 1 gives an introduction to both naming schemes and makes recomm ...
US federal guidelines for selecting and specifying security controls for information systems.
As part of the ongoing initiative to develop a unified information security framework for the federal government and its contractors, NIST has included security controls in its catalog for both national security and non national security systems. The upda ...
US federal guidelines for the development, selection, and implementation to be used at information system and program levels to assess the effectiveness of security controls.
Guidelines for incident handling, particularly for analyzing incident-related data and determining the appropriate response to each incident.
Standard for integrating essential information technology (IT) security steps into an established IT system development life cycle (SDLC).
Practical guidance on IT principles and practices to support compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
This document describes security configuration checklists and their benefits, and it explains how to use the NIST National Checklist Program (NCP) to find and retrieve checklists. The publication also describes the policies, procedures, and general requir ...
Standard for practical sanitization of information storage media decisions based on the level of confidentiality of information.
US federal guidance on managing a continuous supply of log data; managing log generation and storage; protecting the confidentiality, integrity, and availability of logs; and performing effective analysis of log data.
Describes the characteristics of IDPS technologies and provides recommendations for designing, implementing, configuring, securing, monitoring, and maintaining them.
Guidance on challenges related to integration of information security practices into Web service-based SOA design and development. Practical guidance on standards applicable to Web services and common security threats to SOAs based on Web services.
Asset identification plays an important role in an organization's ability to quickly correlate different sets of information about assets. NISTIR 7693 provides the necessary constructs to uniquely identify assets based on known identifiers and/or known in ...
The Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of the Security Assertion Markup Language (SAML) for Healthcare and the XSPA Profile of the eXtensible Access Control Markup Language (XACML) enable hospitals and other service provide ...
Guidelines intended to promote the use of cryptography; foster confidence in information systems; and help ensure data security and privacy protection in national and global information and communications infrastructures, networks, and systems.
Recommendations and principles for greater information security awareness, including development of a "culture of security" reflected in the creation and use of information systems and networks.
