NIST stands for ‘National Institute of Standards and Technology’ and the NIST special (SP) publications act as a reference for organizations, academic institutions and government agencies that seek to form an information security plan and secure their perimeter. They are available free of charge. We will discuss some of the NIST special publications in this post:
Before we discuss NIST SP 800-30, we refresh the basic concepts related to risk. The security terms “threat”, “vulnerability” and “risk” play a key role in risk assessments.
Recall from an earlier post that “vulnerability” is a hole in the security posture that is waiting to be exploited (examples of vulnerability can be open port, unpatched software)
“Threat” is the tool that causes the damage to the organization (examples of threats can be floods, power failure, fire etc)
And “risk” is the “threat agent” making use of the “vulnerability” and exploiting it and causing physical and monetary damages. Putting these concepts together, “Risk assessment is the process of identifying, estimating, and prioritizing information security risks” (Guide for Conducting Risk Assessments, 2012)
The NIST SP 800-30 publication guides users on how to conduct risk assessments. This publication first deals with the fundamentals of risk assessment followed by the different processes in risk assessment (preparing for risk assessment, conducting risk assessment and communicating risk assessment information) The NIST SP 800-30 publication is an extension to the NIST SP 800-39 publication which is a publication for managing ‘Information Security Risk’.
E-mail or electronic mail is one of most prevalent forms of communication in today’s digitized world. Considering this, electronic mail will be targeted for a host of attacks on the mail server, mail client or the entire infrastructure. Some of the different types of attacks may be DoS attacks, social engineering, or gaining access to unencrypted information in the email.
The NIST SP 800-45 on electronic mail security guides users on configuring mail servers, mail clients on public and private networks and prevent it from being subjected to attacks. Encrypting email messages (using OpenPGP,S/MIME) ways to harden the mail server, ways to harden the mail client are some of issues discussed in this publication. The other key guidelines included in this publication are the different types of protocols (such as the SMTP, POP) along with planning and management of a mail server. (Guidelines on Electronic Mail Security, 2007)
We discussed a few of the NIST publications in this post today. The NIST publications seek to give guidance on many other security topics for organizations. These are an effective means for different organizations who seek to improve their security posture.
Guide for Conducting Risk Assessments. (2012, September). Retrieved from NIST.gov: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=912091
Guidelines on Electronic Mail Security. (2007, Feb). Retrieved from NIST.gov: http://csrc.nist.gov/publications/nistpubs/800-45-version2/SP800-45v2.pdf