NIST Security Guidance Revision: Prepare Now - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
NIST Security Guidance Revision: Prepare Now
Newest First  |  Oldest First  |  Threaded View
Vincent Berk
50%
50%
Vincent Berk,
User Rank: Apprentice
6/18/2014 | 5:39:51 PM
Remark Clarification

I'd like to clarify my earlier remark that I expect Revision 5 to be released in early 2015. Even though no date has been announced, I believe this is the clear trend given the 2-year cycle we've seen in the past for the release of Revisions of Special Publication 800-53.

— Dr. Vincent Berk, CEO of FlowTraq

David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/18/2014 | 9:20:32 AM
No date for next NIST guidance
The original version of this column asserted that Revision 5 was "expected" to be published in April 2015. We received the following request for a correction from NIST public affairs:

"In an InformationWeek commentary by Vincent Berk on June 16, 2014, it was reported incorrectly that NIST plans to update its security and privacy controls catalog, Special Publication 800-53, from Revision 4 to Revision 5. NIST has not announced any plans to update that publication or proposed any date for such an update."

I'm not sure of the source of confusion but meanwhile have revised the text to make clear that Mr. Berk's assertion is an opinion.

- David F. Carr, editor, InformationWeek Government
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Strategist
6/17/2014 | 1:42:32 AM
Aging Standards in a DevOps World
While I believe standards are necessary, guidelines appreciated, and recommendations great for comparison, in the InfoSec world, where DevOps rules, NIST is the rarely visiting relative who has to be caught up on what's happening in the family every time it shows up. Too many organizations spend ridiculous amounts of money on documentation, requirements, audit criteria and other artifacts without actually touching the actual environment at risk, or watching an exploit being worked in real-time. Today's enterprise security leadership and teams have to be ready to change strategy, tools and scope on the daily, if not hourly.

If your company just wants to look like they are doing something about risk, sure, write a few thousand pages based upon Common Criteria and NIST framework recommendations, audit requirements, security targets of evaluation. But if you actually want your enterprise environment to be secure and stand up against the most innovative cyber criminals, get out there into the underground, talk to people and learn, hack and capture a few flags, and stay glued to sites like Dark Reading and Packet Storm. If you have the resources, set up an internal penetration lab to actively hack your own applications and network model in a mirrored environment. And, hire the best; not on paper, but tried and true in the underground.

Until government agencies catch on to the Free and Open Source Software (FOSS) way of doing things, and start acknowledging the 24/7 world of DevOps is ever-changing and that InfoSec is a massive endeavor, not easily squished into a couple hundred pages of rigid government standards, it will always be behind the times and cyber criminals leagues ahead of them.
D.M. Romano
50%
50%
D.M. Romano,
User Rank: Moderator
6/16/2014 | 1:37:16 PM
Overlooked
"For a multi-faceted data acquisition approach, we must start by analyzing the key threat categories that we face."


I've worked in several environments and am surprised at how often this is overlooked and not effectually evaluated. 


2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Slideshows
9 Steps Toward Ethical AI
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/15/2019
Commentary
How to Assess Digital Transformation Efforts
Lisa Morgan, Freelance Writer,  5/14/2019
Commentary
Is AutoML the Answer to the Data Science Skills Shortage?
Guest Commentary, Guest Commentary,  5/10/2019
Register for InformationWeek Newsletters
Video
Current Issue
A New World of IT Management in 2019
This IT Trend Report highlights how several years of developments in technology and business strategies have led to a subsequent wave of changes in the role of an IT organization, how CIOs and other IT leaders approach management, in addition to the jobs of many IT professionals up and down the org chart.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll