NIST Security Guidance Revision: Prepare Now - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
NIST Security Guidance Revision: Prepare Now
Newest First  |  Oldest First  |  Threaded View
Vincent Berk
50%
50%
Vincent Berk,
User Rank: Apprentice
6/18/2014 | 5:39:51 PM
Remark Clarification

I'd like to clarify my earlier remark that I expect Revision 5 to be released in early 2015. Even though no date has been announced, I believe this is the clear trend given the 2-year cycle we've seen in the past for the release of Revisions of Special Publication 800-53.

— Dr. Vincent Berk, CEO of FlowTraq

David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/18/2014 | 9:20:32 AM
No date for next NIST guidance
The original version of this column asserted that Revision 5 was "expected" to be published in April 2015. We received the following request for a correction from NIST public affairs:

"In an InformationWeek commentary by Vincent Berk on June 16, 2014, it was reported incorrectly that NIST plans to update its security and privacy controls catalog, Special Publication 800-53, from Revision 4 to Revision 5. NIST has not announced any plans to update that publication or proposed any date for such an update."

I'm not sure of the source of confusion but meanwhile have revised the text to make clear that Mr. Berk's assertion is an opinion.

- David F. Carr, editor, InformationWeek Government
RetiredUser
50%
50%
RetiredUser,
User Rank: Strategist
6/17/2014 | 1:42:32 AM
Aging Standards in a DevOps World
While I believe standards are necessary, guidelines appreciated, and recommendations great for comparison, in the InfoSec world, where DevOps rules, NIST is the rarely visiting relative who has to be caught up on what's happening in the family every time it shows up. Too many organizations spend ridiculous amounts of money on documentation, requirements, audit criteria and other artifacts without actually touching the actual environment at risk, or watching an exploit being worked in real-time. Today's enterprise security leadership and teams have to be ready to change strategy, tools and scope on the daily, if not hourly.

If your company just wants to look like they are doing something about risk, sure, write a few thousand pages based upon Common Criteria and NIST framework recommendations, audit requirements, security targets of evaluation. But if you actually want your enterprise environment to be secure and stand up against the most innovative cyber criminals, get out there into the underground, talk to people and learn, hack and capture a few flags, and stay glued to sites like Dark Reading and Packet Storm. If you have the resources, set up an internal penetration lab to actively hack your own applications and network model in a mirrored environment. And, hire the best; not on paper, but tried and true in the underground.

Until government agencies catch on to the Free and Open Source Software (FOSS) way of doing things, and start acknowledging the 24/7 world of DevOps is ever-changing and that InfoSec is a massive endeavor, not easily squished into a couple hundred pages of rigid government standards, it will always be behind the times and cyber criminals leagues ahead of them.
D.M. Romano
50%
50%
D.M. Romano,
User Rank: Moderator
6/16/2014 | 1:37:16 PM
Overlooked
"For a multi-faceted data acquisition approach, we must start by analyzing the key threat categories that we face."


I've worked in several environments and am surprised at how often this is overlooked and not effectually evaluated. 


2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
News
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Commentary
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Slideshows
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
Register for InformationWeek Newsletters
Video
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll