NIST Security Guidance Revision: Prepare Now - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
NIST Security Guidance Revision: Prepare Now
Newest First  |  Oldest First  |  Threaded View
Vincent Berk
50%
50%
Vincent Berk,
User Rank: Apprentice
6/18/2014 | 5:39:51 PM
Remark Clarification

I'd like to clarify my earlier remark that I expect Revision 5 to be released in early 2015. Even though no date has been announced, I believe this is the clear trend given the 2-year cycle we've seen in the past for the release of Revisions of Special Publication 800-53.

— Dr. Vincent Berk, CEO of FlowTraq

David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/18/2014 | 9:20:32 AM
No date for next NIST guidance
The original version of this column asserted that Revision 5 was "expected" to be published in April 2015. We received the following request for a correction from NIST public affairs:

"In an InformationWeek commentary by Vincent Berk on June 16, 2014, it was reported incorrectly that NIST plans to update its security and privacy controls catalog, Special Publication 800-53, from Revision 4 to Revision 5. NIST has not announced any plans to update that publication or proposed any date for such an update."

I'm not sure of the source of confusion but meanwhile have revised the text to make clear that Mr. Berk's assertion is an opinion.

- David F. Carr, editor, InformationWeek Government
RetiredUser
50%
50%
RetiredUser,
User Rank: Strategist
6/17/2014 | 1:42:32 AM
Aging Standards in a DevOps World
While I believe standards are necessary, guidelines appreciated, and recommendations great for comparison, in the InfoSec world, where DevOps rules, NIST is the rarely visiting relative who has to be caught up on what's happening in the family every time it shows up. Too many organizations spend ridiculous amounts of money on documentation, requirements, audit criteria and other artifacts without actually touching the actual environment at risk, or watching an exploit being worked in real-time. Today's enterprise security leadership and teams have to be ready to change strategy, tools and scope on the daily, if not hourly.

If your company just wants to look like they are doing something about risk, sure, write a few thousand pages based upon Common Criteria and NIST framework recommendations, audit requirements, security targets of evaluation. But if you actually want your enterprise environment to be secure and stand up against the most innovative cyber criminals, get out there into the underground, talk to people and learn, hack and capture a few flags, and stay glued to sites like Dark Reading and Packet Storm. If you have the resources, set up an internal penetration lab to actively hack your own applications and network model in a mirrored environment. And, hire the best; not on paper, but tried and true in the underground.

Until government agencies catch on to the Free and Open Source Software (FOSS) way of doing things, and start acknowledging the 24/7 world of DevOps is ever-changing and that InfoSec is a massive endeavor, not easily squished into a couple hundred pages of rigid government standards, it will always be behind the times and cyber criminals leagues ahead of them.
D.M. Romano
50%
50%
D.M. Romano,
User Rank: Moderator
6/16/2014 | 1:37:16 PM
Overlooked
"For a multi-faceted data acquisition approach, we must start by analyzing the key threat categories that we face."


I've worked in several environments and am surprised at how often this is overlooked and not effectually evaluated. 


State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
Enterprise Guide to Digital Transformation
Cathleen Gagne, Managing Editor, InformationWeek,  8/13/2019
Slideshows
IT Careers: How to Get a Job as a Site Reliability Engineer
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/31/2019
Commentary
AI Ethics Guidelines Every CIO Should Read
Guest Commentary, Guest Commentary,  8/7/2019
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll