NIST SP800-100：联邦信息安全管理手册

需积分: 10 14 浏览量更新于2024-07-16 收藏 7.84MB PDF 举报

"NIST SP800-100 是一份由美国国家标准与技术研究所（NIST）发布的信息安全手册，旨在为管理者提供一个全面的信息安全程序概览，以帮助他们在组织内建立和实施信息安全程序。该手册依据了包括1996年克林格-科汉法、2002年联邦信息安全管理法（FISMA）以及管理与预算办公室（OMB）第A-130号通告在内的相关法律和法规。尽管手册中的指导不针对特定机构，但各机构应根据自身安全态势和业务需求对其进行调整。该文档的主要受众包括机构负责人、首席信息官（CIO）、高级机构信息安全官员（SAISO，通常也称为首席信息安全官[CISO]）和安全经理。手册不仅总结了NIST的现有标准和指南，还提供了相关信息主题的附加信息，并在适当章节中引用了相关文档。" 本资源详细介绍了NIST SP800-100的目的和适用范围，它旨在为信息安全管理团队提供多方面的信息安全知识，以供他们在各自的组织中实施和监督。此外，该手册还为在整个联邦政府范围内实现信息安全程序的一致性提供了指导。虽然主要关注联邦部门，但其原则同样适用于其他政府、组织或机构的安全要求。 NIST SP800-100与其他NIST的指导文件相辅相成，对这些文件进行了总结和补充，同时在相关子章节中提供了额外信息。这些文件可能包括但不限于风险管理、安全控制选择、实施方法和效果验证等方面，这些都是构建信息安全策略的重要组成部分。手册的目标读者群体主要包括机构负责人、CIO、SAISO/CISO以及安全经理。无论是在联邦还是私营部门，这些读者都可以利用其中的信息来构建他们的信息安全程序战略，尽管两个领域的优先级和法律要求可能存在差异，但信息安全的基本原则是一致的。通过NIST SP800-100，管理者可以了解到如何确保安全控制的选择和实施，以及如何证明这些控制满足了声明的安全要求。此外，它还提供了关于信息安全管理的广泛信息，涵盖了法律合规性、风险评估、安全政策制定、持续监控、教育与培训等多个方面，这些都是构建一个有效且合规的信息安全框架的关键元素。 NIST SP800-100是信息安全领域的重要参考资料，它提供了一套全面的方法来帮助管理者理解和实施信息安全措施，以保护组织的敏感数据和信息系统。这份手册对于任何寻求理解信息安全实践基础的管理者来说都极具价值。

CHAPTER 2 Information Security Governance

• Clear and comprehensive mission, vision, goals, and objectives and how they

relate to agency mission;

• High-level plan for achieving information security goals and objectives,

including short- and mid-term objectives and performance targets, specific for

each goal and objective, to be used throughout the life of this plan to manage

progress toward successfully fulfilling the identified objectives; and

• Performance measures to continuously monitor accomplishment of identified

goals and objectives and their progress toward stated targets.

Agencies should document their information security strategy in an information

security strategic plan or another document, if appropriate. Regardless of how the

information security strategy is documented, its contents should be aligned with the

overall agency strategic planning activities. The document should be revisited when a

major change in the agency information security environment occurs, including:

• Change in applicable legislation, regulations, or directives;

• Change in agency mission priorities; and

• Emerging information security issues, such as changes in threat and

vulnerability environment or the introduction of new technologies.

2.2.2 Information Security Governance Structures

Information security governance structures can be characterized in a number of

ways. There are two basic models of information security governance structures:

centralized and decentralized. While agency heads are ultimately responsible for

managing and governing their respective agency, the authority and responsibility

over information security differs in the two types of structures. Key characteristics of

the two structures are:

• Centralized. Departmental CIO or, in some instances, the SAISO has line-item

budget control over all information security activities throughout the

department. All information security practitioners within the department report

to the departmental SAISO, who is responsible for ensuring implementation

and monitoring of information security controls throughout the entire

department.

• Decentralized. Departmental SAISOs have policy development and oversight

responsibilities. Departmental SAISOs have budget responsibilities over the

departmental information security program, but not over the operating units’

information security programs. Operating unit SAISOs report to the unit head,

not to the departmental SAISO. Operating unit SAISOs are responsible for

implementing and monitoring information security practices within their

respective operating units.

Completely centralized or decentralized information security governance

implementations are quite rare. In reality, the variety of implemented information

security governance structures spans the continuum from a centralized structure at

one end to a decentralized structure at the other. Agencies usually adopt hybrid

structures that include some characteristics of both centralized and decentralized

types of structures, and they adopt the particular mix of these characteristics to fit

their agency mission, size, homogeneity of their components, and existing

governance structure.

CHAPTER 2 Information Security Governance

Agencies in the process of establishing or changing their information security

governance structure should consider the following key factors to determine the

optimal extent of the centralization or decentralization:

• Agency size;

• Agency mission and its level of diversification or homogeneity;

• Existing agency IT infrastructure;

• Existing federal and internal governance requirements;

• Size of agency budget;

• Agency information security capabilities;

• Number of, and distance between, physical locations; and

• Decision-making practices and desired rate of change in information security

practices.

To the degree that these factors are limited or varied, an organization’s hybrid

information security governance structure will fall somewhere between the extremes

of a completely centralized or decentralized structure, as depicted in Figure 2-3. An

organization’s placement on this continuum may also shift over time in response to

changing internal factors or external requirements.

Since information security governance structure is highly dependent on the

overall organizational structure, organizations are often limited in their choices about

how to organize their information security governance activities. Agencies should be

cognizant of the characteristics and challenges that a centralized or decentralized

structure presents and work within their respective organizations to ensure the best

use of information security resources within the boundaries of their own structure.

2.2.3 Key Governance Roles and Responsibilities

There are several governance stakeholders common to most organizations that

span the organization. These stakeholders include senior leadership, a CIO,

information security personnel, and a chief financial officer (CFO), among others. The

specific requirements of each role may differ with the degree of information security

governance centralization or in response to the specific missions and needs of an

organization.

ure 2-3. Information Securit

Governance Structures

See Chapter 5, Capital Planning; Chapter 8, Security Planning; Chapter 11, Certification, Accreditation,

and Security Assessments; and Chapter 14, Configuration Management; of this guide for additional

guidance on system-specific security roles and responsibilities.

CHAPTER 2 Information Security Governance

2.2.3.1 Agency Head

The Clinger-Cohen Act assigns the responsibility for ensuring “that the

information security policies, procedures, and practices of the executive agency are

adequate.”

FISMA provides the following details on agency head responsibilities for

information security:

• Providing information security protections commensurate with the risk and

magnitude of the harm resulting from unauthorized access, use, disclosure,

disruption, modification, or destruction of information collected or maintained

by or on behalf of an agency, and on information systems used or operated by

an agency or by a contractor of an agency or other organization on behalf of an

agency;

• Ensuring that an information security program is developed, documented, and

implemented to provide security for all systems, networks, and data that

support the operations of the organization;

• Ensuring that information security processes are integrated with strategic and

operational planning processes to secure the organization’s mission;

• Ensuring that senior agency officials within the organization are given the

necessary authority to secure the operations and assets under their control;

• Designating a CIO and delegating authority to that individual to ensure

compliance with applicable information security requirements;

• Ensuring that the agency has trained personnel to support compliance with

information security policies, processes, standards, and guidelines; and

• Ensuring that the CIO, in coordination with the other senior agency officials,

reports annually to the agency head on the effectiveness of the agency

information security program, including the progress of remedial actions.

2.2.3.2 Chief Information Officer

FISMA assigns the agency CIO the following responsibilities:

• Designating a senior agency information security officer (SAISO);

• Developing and maintaining an agency-wide information security program;

• Developing and maintaining information security policies, procedures, and

control techniques to address all applicable requirements;

• Ensuring compliance with applicable information security requirements; and

• Reporting annually, in coordination with the other senior agency officials, to the

agency head on the effectiveness of the agency information security program,

including progress of remedial actions.

2.2.3.3 Senior Agency Information Security Officer

FISMA assigns SAISO the following responsibilities:

• Performing information security duties as the primary duty;

Clinger-Cohen Act, 1996.

The SAISO in some agencies is sometimes referred to as the computer information security officer

(CISO) or the chief security officer (CSO).

CHAPTER 2 Information Security Governance

• Heading an office with the mission and resources to assist in ensuring agency

compliance with information security requirements;

• Periodically assessing risk and magnitude of the harm resulting from

unauthorized access, use, disclosure, disruption, modification, or destruction of

information and information systems that support the operations and assets of

the agency;

• Developing and maintaining risk-based, cost-effective information security

policies, procedures, and control techniques to address all applicable

requirements throughout the life cycle of each agency information system to

ensure compliance with applicable requirements;

• Facilitating development of subordinate plans for providing adequate

information security for networks, facilities, and systems or groups of

information systems;

• Ensuring that agency personnel, including contractors, receive appropriate

information security awareness training;

• Training and overseeing personnel with significant responsibilities for

information security with respect to such responsibilities;

• Periodically testing and evaluating the effectiveness of information security

policies, procedures, and practices;

• Establishing and maintaining a process for planning, implementing, evaluating,

and documenting remedial action to address any deficiencies in the information

security policies, procedures, and practices of the agency;

• Developing and implementing procedures for detecting, reporting, and

responding to security incidents;

• Ensuring preparation and maintenance of plans and procedures to provide

continuity of operations for information systems that support the operations

and assets of the agency; and

• Supporting the agency CIO in annual reporting to the agency head on the

effectiveness of the agency information security program, including progress of

remedial actions.

2.2.3.4 Chief Enterprise Architect

The chief enterprise architect or comparable position in an organization is

responsible for:

• Leading agency enterprise architecture development and implementation

efforts;

• Collaborating with lines of business within the agency to ensure proper

integration of lines of business into enterprise architecture;

• Participating in agency strategic planning and performance planning activities to

ensure proper integration of enterprise architecture;

• Facilitating integration of information security into all layers of enterprise

architecture to ensure agency implementation of secure solutions; and

• Working closely with the program managers, the senior agency information

security officer (SAISO), and the business owners to ensure that all technical

CHAPTER 2 Information Security Governance

architecture requirements are adequately addressed by applying FEA and the

Security and Privacy Profile (SPP).

2.2.3.5 Related Roles

Many other individuals within an organization have a stake in information

security, from top senior management down to individual users. A few of the

primary senior management roles and their coinciding responsibilities are listed

below. The scope of each role will depend on whether or not these roles should be

redundant in the decentralized governance structure. These individuals should work

collaboratively to ensure that information security exists within their organizational

responsibility.

Inspector General (IG). The IG is a statutory office within an organization that,

in addition to other responsibilities, works to assess an organization’s information

security practices and identifies vulnerabilities and the possible need to modify

security measures. The IG completes this task by:

• Detecting fraud or instances of waste, abuse, or misuse of an organization’s

funds;

• Identifying operational deficiencies within the organization;

• Ensuring that the underlying problems that permit such failings are rectified;

and

• Offering recommendations for preventing problems in the future.

Chief Financial Officer. The CFO is the senior financial advisor to the

investment review board (IRB) and the agency head. Information security

investments fall within the purview of the CFO and are included in the CFO’s reports.

In this capacity, the CFO is responsible for:

• Reviewing cost goals of each major information security investment;

• Reporting financial management information to OMB as part of the President’s

budget;

• Complying with legislative and OMB-defined responsibilities as they relate to IT

capital investments;

• Reviewing systems that impact financial management activities; and

• Forwarding investment assessments to the IRB.

Chief Privacy Officer or other designated official with privacy

responsibilities. The chief privacy officer is responsible for privacy compliance

across an organization, including privacy compliance measures that apply to

information security assets and activities. The chief privacy officer works to maintain

a balance between security and privacy requirements, and works to ensure that one

is not compromised for the sake of the other. To this end, the chief privacy officer

serves as the senior official responsible for:

• Developing, promoting, and supporting the organization’s privacy programs;

• Encouraging awareness of potential privacy issues and policies; and

• Reviewing and implementing privacy regulations and legislation.

Physical Security Officer or other designated official with physical

security responsibilities. The physical security officer is responsible for the overall

implementation and management of physical security controls across an

organization, to include integration with applicable information security controls. As

information security programs are developed, senior agency officials should work to

剩余177页未读，继续阅读

艾米的爸爸

粉丝: 787
资源: 314

NIST SP800-100：联邦信息安全管理手册

你该知道的NIST SP 800系列指南.pdf

NIST SP800-46.pdf

NIST SP800-52.pdf

NIST SP800-78-4.pdf

NIST SP800-27-RevA.pdf

NIST SP800-63-2.pdf

NIST SP800-79-2.pdf

NIST SP800-71-draft.pdf

NIST SP800-79-1.pdf

NIST SP800-76-2.pdf

最新资源