NIST SP800-46:远程办公与宽带通信安全指南

NIST
SP800
需积分: 9 0 下载量 70 浏览量 更新于2024-07-16 收藏 3.69MB PDF 举报
NIST SP800-46《远程工作与宽带通信安全指南》是由美国国家标准与技术研究院(National Institute of Standards and Technology, NIST)发布的特别出版物,主要目的是为远程工作的用户、系统管理员和管理层提供关于宽带通信安全和政策、家庭办公室系统安全以及中央办公室系统管理员考虑因素的初步信息。这份文档旨在帮助理解如何选择、部署和管理远程工作用户的宽带通信,而不旨在强制实施严格的远程或家庭办公环境的通信框架,而是提出针对该领域的建议性措施。 首先,它涵盖了以下几个核心知识点: 1. **远程工作安全**:文档强调了对于远程工作者,尤其是通过互联网进行通信时,如何确保数据隐私、身份验证和访问控制的重要性。它提倡实施强密码策略、使用加密技术和安全软件,以防止未经授权的访问和信息泄露。 2. **宽带通信政策**:提供了关于制定适应远程工作的宽带通信政策的指导,包括网络使用规定、设备管理和网络安全培训,以确保组织内的信息安全标准一致性。 3. **家庭办公室系统安全**:着重讨论了家庭办公环境下的网络安全问题,如物理安全(如防火墙和防病毒保护)、设备隔离、以及网络连接设备的安全配置。 4. **系统管理员的角色**:明确了中央办公室系统管理员在远程工作环境中应如何监控和维护网络安全性,包括定期更新、故障排查和应急响应策略。 5. **技术参考和测试**:NIST SP800-46还引用了相关的技术测试和方法,以便管理员和技术人员评估和优化远程工作的网络安全性能。 6. **国家技术基础设施支持**:文档背景中提到,NIST的信息技术实验室(ITL)通过提供测量和标准基础设施的技术领导力,推动美国经济和公共福利的发展。 NIST SP800-46是一份实用性很强的文档,它结合了理论与实践,为远程工作环境中的信息安全提供了实用指导,帮助组织和个人有效地应对日益增长的远程办公趋势带来的安全挑战。阅读这份报告,不仅有助于提升远程工作环境下的网络安全意识,还能确保数据传输过程中的合规性和有效性。

NIST SP800-142.pdf

117 浏览量
Software implementation errors are one of the most significant contributors to information system security vulnerabilities, making software testing an essential part of system assurance. Combinatorial methods can help reduce the cost and increase the effectiveness of software testing for many applications. This publication provides a self-contained tutorial on using combinatorial testing for real-world software. It introduces the key concepts and methods, explains use of software tools for generating combinatorial tests (freely available on the NIST web site csrc.nist.gov/acts), and discusses advanced topics such as the use of formal models of software to determine the expected results for each possible set of test inputs. The material is accessible to an undergraduate student of computer science or engineering, and includes an extensive set of references to papers that provide more depth on each topic.

NIST SP800-52.pdf

300 浏览量
TLS communications to protect sensitive data transmitted through the Internet. Many books such as [Rescorla01], [Comer00], and [Hall00] describe the Internet’s client-server model and communication protocol design principles. None guide Federal users and system administrators to adequately protect sensitive but unclassified Federal Government data against the most serious threats on the World Wide Web – eavesdropping, data tampering and message forgery. Other books such as [Adams99] and [Housley01] as well as technical journal articles (e.g., [Polk03]) and NIST publications (e.g., [SP800-32]) describe how Public Key Infrastructure (PKI) can be used to protect information in the Internet. It is assumed that the reader of these Guidelines is somewhat familiar with the ISO seven-layer model communications model (also known as the seven-layer stack) [7498], as well as the Internet and public key infrastructure concepts, including, for example, X.509 certificates. If not, the reader may refer to the references cited above in the first paragraph of this introduction for further explanations of background concepts that cannot be fully explained in these Guidelines. These Guidelines briefly introduce computer communications architectural concepts. The Guidelines place the responsibility for communication security at the Transport layer of the OSI seven-layer communications stack, not within the application itself. Protection of sensitive but unclassified Government information can adequately be accomplished at this layer when appropriate protocol options are selected and used by clients and servers relying on transport layer security. Unfortunately, security is not a single property possessed by a single protocol. Rather, security includes a complex set of related properties that together provide the required information assurance characteristics and information protection services. Security requirements are usually derived from a risk assessment to the threats or attacks an adversary is likely to mount against a system. The adversary is likely to take advantage of implementation vulnerabilities found in many system components including computer operating systems, application software systems, and the computer networks that interconnect them. These guidelines focus only on security within the network, and they focus directly on the small portion of the network communications stack that is referred to as the transport layer. Usually, the best defense against telecommunications attacks is to deploy security services implemented with mechanisms specified in standards that are thoroughly vetted in the public domain and rigorously tested by third party laboratories, by vendors, and by users of commercial off-the-shelf products. Three services that most often address network user security requirements are confidentiality, message integrity and authentication. A confidentiality service provides assurance that data is kept secret, preventing eavesdropping. A message integrity service provides confirmation that data modification is always detected thus preventing undetected deletion, addition, or modification of data. An authentication service provides assurance of the sender or receiver’s identity, thereby preventing forgery.

NIST SP800-100-Mar07-2007.pdf

174 浏览量
This Information Security Handbook provides a broad overview of information security program elements to assist managers in understanding how to establish and implement an information security program. Typically, the organization looks to the program for overall responsibility to ensure the selection and implementation of appropriate security controls and to demonstrate the effectiveness of satisfying their stated security requirements. The topics within this document were selected based on the laws and regulations relevant to information security, including the Clinger-Cohen Act of 1996, the Federal Information Security Management Act (FISMA) of 2002, and Office of Management and Budget (OMB) Circular A-130. The material in this handbook can be referenced for general information on a particular topic or can be used in the decision-making process for developing an information security program. National Institute of Standards and Technology (NISTIR) Interagency Report 7298 provides a summary glossary for the basic security terms used throughout this document. While reading this handbook, please consider that the guidance is not specific to a particular agency. Agencies should tailor this guidance according to their security posture and business requirements. 1.1 Purpose and Applicability The purpose of this publication is to inform members of the information security management team (agency heads; chief information officers [CIOs]; senior agency information security officers [SAISOs], also commonly referred to as Chief Information Security Officers [CISOs]; and security managers) about various aspects of information security that they will be expected to implement and oversee in their respective organizations. In addition, the handbook provides guidance for facilitating a more consistent approach to information security programs across the federal government. Even though the terminology in this document is geared toward the federal sector, the handbook can also be used to provide guidance on a variety of other governmental, organizational, or institutional security requirements. 1.2 Relationship to Existing Guidance This handbook summarizes and augments a number of existing NIST standards and guidance documents and provides additional information on related topics. Such documents are referenced within appropriate subchapters. 1.3 Audience The intended audience includes agency heads, CIOs, SAISOs (also commonly referred to as CISOs), and security managers. The handbook provides information that the audience can use in building their information security program strategy. While there are differences between federal and private sector environments, especially in terms of priorities and legal requirements, the underlying principles of information security are the same. The handbook is therefore useful to any manager who requires a broad overview of information security practices.

NIST SP800-46r1.pdf

2020-02-18 上传
The purpose of this document is to assist organizations in mitigating the risks associated with the enterprise technologies used for telework, including remote access servers, telework client devices,...

NIST SP800-55.pdf

312 浏览量
The requirement to measure information technology (IT) security performance is driven by regulatory, financial, and organizational reasons. A number of existing laws, rules, and ...

NIST SP800-23.pdf

2020-02-13 上传
This document provides guidelines for Federal organizations' acquisition and use of security-related ... NIST's advice is provided in the context of larger recommendations regarding security assurance.

NIST SP800-176.pdf

2020-02-28 上传
The Computer Security Division’s computer scientists, mathematicians, IT specialists, support staff and others support CSD’s mission and responsibilities through five groups that are described in ...

NIST SP800-50.pdf

2020-02-18 上传
Introduction Federal agencies and organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that ...

NIST SP800-170.pdf

143 浏览量
Overview: CTG’s work in the field of cryptography includes researching, analyzing, and standardizing cryptographic technology, such ...promote the use of NIST-approved cryptographic methods.

NIST SP800-29.pdf

457 浏览量
On July 17, 1995, NIST established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-1 Security Requirements...
艾米的爸爸
  • 粉丝: 800
  • 资源: 314
上传资源 快速赚钱

最新资源