What are the nist-recommended documents that support the process of baselining?
|
Hardware, software, and relevant documentation for an information system at a given point in time. Show
See control baseline. The set of controls that are applicable to information or an information system to meet legal, regulatory, or policy requirements, as well as address protection needs for the purpose of managing risk. Formally approved version of a configuration item, regardless of media, formally designated and fixed at a specific time during the configuration item's life cycle. Note: The engineering process generates many artifacts that are maintained as a baseline over the course of the engineering effort and after its completion. The configuration control processes of the engineering effort manage baselined artifacts. Examples include stakeholder requirements baseline, system requirements baseline, architecture/design baseline, and configuration baseline. Formally approved version of a configuration item, regardless of media, formally designated and fixed at a specific time during the configuration item's life cycle. Note: The engineering process generates many artifacts that are maintained as a baseline over the course of the engineering effort and after its completion. The configuration control processes of the engineering effort manage baselined artifacts. Examples include stakeholder requirements baseline, system requirements baseline, architecture/design baseline, and configuration baseline. Predefined sets of controls specifically assembled to address the protection needs of groups, organizations, or communities of interest. See privacy control baseline or security control baseline. The set of security and privacy controls defined for a low-impact, moderate-impact, or high-impact system or selected based on the privacy selection criteria that provide a starting point for the tailoring process. Hardware, software, databases, and relevant documentation for an information system at a given point in time. Baselining can be described as the process that is used to measure against an established internal value or standard. Baselining and researching benchmarks that are found in the recommended practices can provide less design and implementation detail for a security program that the use of a complete methodology. When baselining and benchmarking are used congruently it is possible to piece together a desired outcome. From there, you can work backwards to get to the effective design of a methodology. NIST recommends several publications that were written specifically in support of baseline activities. They are: SP 800-27, REV A: Engineering Principles for Information Technology Security (A Baseline for Achieving Security) SP 800-53, REV 4: Security and Privacy Controls for Federal Information Systems and Organizations (Draft) SP 800-53A, REV 1: Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
Alternatively, The Gartner Group has developed a self-assessment for recommended security practices. The assessment includes 12 questions that are organized into three categories: people, processes, and technology. These categories map to the managerial, operational, and technical areas of the NIST methodology. The twelve questions are below. Which of the following is the first phase in the NIST process for performance measures implementation?The first phase in the NIST performance measures methodology is to collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets.
What four factors are critical to the success of an information security performance program?Kelley and Moyle suggest four key criteria against which to evaluate cybersecurity goals: effectiveness, maturity, efficiency and alignment.
What is the gold standard of information security practices?The Gold Standard of Information Security
ISO 27001 provides the Information Security Management System (ISMS) that enables management to operate a secure organization.
Is the process of measuring against established standards?Baselining is the process of measuring against established standards. Baseline measurements of security activities and events are used to evaluate the organization's future security performance.
|
