Comments
NIST Security Guidance Revision: Prepare Now
Newest First  |  Oldest First  |  Threaded View
Vincent Berk
50%
50%
Vincent Berk,
User Rank: Apprentice
6/18/2014 | 5:39:51 PM
Remark Clarification

I'd like to clarify my earlier remark that I expect Revision 5 to be released in early 2015. Even though no date has been announced, I believe this is the clear trend given the 2-year cycle we've seen in the past for the release of Revisions of Special Publication 800-53.

— Dr. Vincent Berk, CEO of FlowTraq

David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/18/2014 | 9:20:32 AM
No date for next NIST guidance
The original version of this column asserted that Revision 5 was "expected" to be published in April 2015. We received the following request for a correction from NIST public affairs:

"In an InformationWeek commentary by Vincent Berk on June 16, 2014, it was reported incorrectly that NIST plans to update its security and privacy controls catalog, Special Publication 800-53, from Revision 4 to Revision 5. NIST has not announced any plans to update that publication or proposed any date for such an update."

I'm not sure of the source of confusion but meanwhile have revised the text to make clear that Mr. Berk's assertion is an opinion.

- David F. Carr, editor, InformationWeek Government
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Apprentice
6/17/2014 | 1:42:32 AM
Aging Standards in a DevOps World
While I believe standards are necessary, guidelines appreciated, and recommendations great for comparison, in the InfoSec world, where DevOps rules, NIST is the rarely visiting relative who has to be caught up on what's happening in the family every time it shows up. Too many organizations spend ridiculous amounts of money on documentation, requirements, audit criteria and other artifacts without actually touching the actual environment at risk, or watching an exploit being worked in real-time. Today's enterprise security leadership and teams have to be ready to change strategy, tools and scope on the daily, if not hourly.

If your company just wants to look like they are doing something about risk, sure, write a few thousand pages based upon Common Criteria and NIST framework recommendations, audit requirements, security targets of evaluation. But if you actually want your enterprise environment to be secure and stand up against the most innovative cyber criminals, get out there into the underground, talk to people and learn, hack and capture a few flags, and stay glued to sites like Dark Reading and Packet Storm. If you have the resources, set up an internal penetration lab to actively hack your own applications and network model in a mirrored environment. And, hire the best; not on paper, but tried and true in the underground.

Until government agencies catch on to the Free and Open Source Software (FOSS) way of doing things, and start acknowledging the 24/7 world of DevOps is ever-changing and that InfoSec is a massive endeavor, not easily squished into a couple hundred pages of rigid government standards, it will always be behind the times and cyber criminals leagues ahead of them.
D.M. Romano
50%
50%
D.M. Romano,
User Rank: Moderator
6/16/2014 | 1:37:16 PM
Overlooked
"For a multi-faceted data acquisition approach, we must start by analyzing the key threat categories that we face."


I've worked in several environments and am surprised at how often this is overlooked and not effectually evaluated. 


IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.