NIST Updates Guidelines for Measuring Information Security

The National Institute of Standards and Technology has revised its guidelines that are designed to help agencies do a better job of assessing the security of individual IT programs. But at least one person wonders if the updates will actually be useful.

In an article on the NextGov website, Jill R. Aitoro says NIST has released the latest revisions to the NIST Special Publication 800 series. The series offers research and guidelines to help agencies implement the 2002 Federal Information Security Management Act.

“Specifically, the update describes the roles and responsibilities of employees who have a direct interest in information security, and should therefore ‘work to instill a culture of information security awareness across the organization,’” Aitoro says. “These positions include the agency head, chief information officer, senior agency information security officer, program manager or information system owner, and information system security officer. It also provides background on information security performance and measures and defines the types of measures that can be used, recommending that agencies develop a comprehensive risk management program with quantifiable inputs that define benefits and returns and can be used to justify funding requests.”

But not everyone thinks the changes will be effective. According to Alan Paller, director of research at the SANS Institute, a cybersecurity research and education group, the guidelines don't provide enough examples of metrics agencies can use to measure the strength of their security.

“They put in metrics like ‘percentage of remote access points used to gain unauthorized access,’ and, worst of all, ‘percentage of information security employees who have received security training,’” he told Aitoro. “It’s embarrassing that our tax money is spent on … vapid reports like this.”