NIST SP 800-12 An Introduction to Computer Security: The NIST Handbook
Download link - http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
The excerpt from the handbook is as below:
This handbook provides assistance in securing computer-based resources (including hardware, software, and information) by explaining important concepts, cost considerations, and interrelationships of security controls. It illustrates the benefits of security controls, the major techniques or approaches for each control, and important related considerations.
The handbook provides a broad overview of computer security to help readers understand their computer security needs and develop a sound approach to the selection of appropriate security controls. It does not describe detailed steps necessary to implement a computer security program, provide detailed implementation procedures for security controls, or give guidance for auditing the security of specific systems. General references are provided at the end of this chapter, and references of "how-to" books and articles are provided at the end of each chapter in Parts II, III and IV.
The excerpt itself self-explains about the purpose of this handbook. For those whom are responsible for the security of the computing systems in their organization, this handbook can serve as the first platform of guidance to identify and recognize the importance of computer security, the security controls, the costs and the various other important factors relevant to the organization.
NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
Download link - http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
Excerpt form the document:
As more organizations share information electronically, a common understanding of what is needed and expected in securing information technology (IT) resources is required. This document provides a baseline that organizations can use to establish and review their IT security programs. The document gives a foundation that organizations can reference when conducting multi-organizational business as well as internal business. Management, internal auditors, users, system developers, and security practioners can use the guideline to gain an understanding of the basic security requirements most IT systems should contain. The foundation begins with generally accepted system security principles and continues with common practices that are used in securing IT systems.
This document explains on the security principles and practices and the relationship between them. Under the Generally Accepted System Security Principles, there are eight (8) principles outlined and explained:
- Computer Security Supports the Mission of the Organization
- Computer Security is an Integral Element of Sound Management
- Computer Security Should Be Cost-Effective
- Systems Owners Have Security Responsibilities Outside Their Own Organizations
- Computer Security Responsibilities And Accountability Should Be Made Explicit
- Computer Security Requires a Comprehensive and Integrated Approach
- Computer Security Should Be Periodically Reassessed
- Computer Security is Constrained by Societal Factors
In IT security practices section, the document describes the types of policies, program management, risk management, security life cycle planning, staffing, incident handling, awareness and training, security considerations in computer support and operations, contingencies, identification and authentication (I&A), logical access control, physical and environmental security, audit trails and cryptography.
Referring to both NIST SP 800-12 and NIST SP 800-14 can be an excellent step in developing a sound information security program.
