NIST SP 800: Information Security Library

I want to introduce habra users, related directly or indirectly to the issues of information protection, with practically remarkable methodical resource not mentioned on Habré: “NIST Special Publications 800 Series” .

NIST - National Institute of Standards and Technology - American National Institute of Standardization, an analogue of the national GosStandard. It includes a competent and computer security center in the United States - CSRC , which brings together specialists from federal services, universities, and the largest US IT companies. Since the beginning of the 1990s, the Center has published Standards (FIPS) and more detailed explanations / recommendations (Special Publications) in the field of information security. The Special Publications, created by the CSRC, is assigned the code 800. I propose to talk about them in more detail.

The CSRC has created three working groups that distribute all the activities of the center in major areas:

• information security management;
• technical issues of information security;
• cryptographic protection of information.

Each of the groups has dozens of publications. Due to the fact that cryptography is quite a specific area, recommendations in this area, perhaps, deserve a separate article, and below I will give an overview of the most interesting and popular documents of the first two groups.
')
Many documents are regularly reviewed - the year of issue of the latest version is indicated in parentheses (this explains the non-observance of the order of the numbers of the documents themselves). Documents in bold type are those that are most frequently found / cited in other IB materials in the links.

Information Security Management

The section contains a “gentleman's set” of, perhaps, any stack of standards / recommendations on information security management, but I recall that the status of the CSRC makes them actually strongly recommended for use in all US government agencies, and this is quite a lot of it.

SP 800-50 (2003)	Creating an IT security awareness program
	Areas of responsibility of participants in the process, preparation of the material, possible problems at the stage of program implementation, the control / audit process, examples
SP 800-84 (2006)	Testing IT security plans
	Politics, areas of responsibility, methodology, examples of documents, particular methods: “desktop” test, simulations, testing in real situations
SP 800-100 (2006)	Information Security Summary for Management
	The process of ensuring information security in organizations, the life cycle of IT systems, security of interaction between IT systems, training / raising awareness of employees in the field of information security, risk management in the field of information security, evaluation, certification, control, continuity and incident management
SP 800-60 (2008)	Classification of information and information systems for security requirements methodology classifier
	The method of assignment and the classifier (recommended values) of the levels of the impact of breaches of confidentiality, integrity and availability depending on the type (purpose) of the processed information
SP 800-115 (2008)	Technical issues of assessing the level of information security
	Evaluation methods, self-assessment, internal audit, external audit, pentest, process organization, assessment, analysis of results, use of results in the process of improving the organization's information security
SP 800-118 (2009)	Password Management
	Existing threats when using password authentication, ensuring the storage of the password database, attacks of social engineering.
SP 800-37 (2010)	IS Risk Management in Federal Information Systems
	Detailed methodology for managing the risks of information security, the roles and responsibilities of participants in the process, a description of related documents
SP 800-34 (2010)	Planning for ensuring continuity in federal information systems
	Interrelation of various levels of ensuring continuity, assessment of the impact of various types of incidents on the service, choice of strategies, development and testing of plans, basic technologies for ensuring the continuity of information systems and services
SP 800-137 (2011)	Information Security Monitoring in Federal Information Systems
	Possible levels of security monitoring: organization in general / business processes / IT systems, development of a monitoring strategy, definition of metrics, analysis of incoming data, use of results in the process of improving the organization's information security
SP 800-61 (2012)	Information Security Incident Management
	Planning the process, creating a response team and its operation regulations, detecting incidents, prioritizing, choosing a response strategy, reducing damage, restoring systems, ensuring interaction between the executors in the incident response process
SP 800-40 (2012)	Security Update Management
	Issues and problems in the update management process, technology to keep software up to date, process metrics

Technical issues of information security

Further, in a shorter format - the most interesting technical publications of CSRC. I will not argue with the fact that among the documents of the CSRC there are also frankly obsolete (I tried to exclude them from the list). However, in general, the IT department of NIST, according to many experts, is one of the most dynamic standards institutes in the field of IT / IB. They try to issue recommendations almost immediately on the fact of significant trends in the emergence of new or redistribution of old threats in the field of information security (the most "tasty", respectively, probably at the bottom).

SP 800-24 (2001)	Information Security of Private Branch Exchange (PBX)
SP 800-58 (2005)	VoIP Information Security
SP 800-77 (2005)	Introduction to IPSEC
SP 800-88 (2006)	Trusted cleaning (destruction) of data on storage media
SP 800-92 (2006)	Security Log Management
SP 800-45 (2007)	Email Security
SP 800-54 (2007)	BGP security
SP 800-95 (2007)	Develop secure web services
SP 800-44 (2007)	Securing public web servers
SP 800-111 (2007)	Data encryption technologies for storage (on the user side)
SP 800-114 (2007)	Protection of user devices used for remote access to the organization’s network
SP 800-28 (2008)	Threats to the user when using active content and mobile code
SP 800-113 (2008)	Introduction to SSL VPN
SP 800-48 (2007)	Additional security measures when using outdated wireless networks (WEP, WPA)
SP 800-46 (2009)	Security in the organization of remote access to the organization’s network
SP 800-41 (2009)	Firewalls (firewalls) and their application policies
SP 800-81 (2010)	Secure DNS implementation
SP 800-127 (2010)	Securing WiMAX networks
SP 800-119 (2010)	Security Considerations When Implementing IPv6
SP 800-82 (2011)	Industrial systems security
SP 800-63 (2011)	Information System Authentication
SP 800-125 (2011)	Providing security when using virtualization technologies = habraperevyd =
SP 800-144 (2011)	Security issues when using public clouds
SP 800-147 (2011)	BIOS integrity assurance
SP 800-121 (2012)	Bluetooth security
SP 800-83 (2012)	Anti-virus protection of stationary and mobile workplaces of employees
SP 800-94 (2012)	Intrusion Detection / Prevention Systems (IDS / IPS)
SP 800-124 (2012)	Securing the organization's mobile devices
SP 800-146 (2012)	Cloud computing: technology overview, analysis of advantages and disadvantages

I hope that in this variety everyone will find a couple of documents for a leisurely reading in the after-holidays!