Agency releases initial draft standard on security mapping; includes critical infrastructure

The US National Institute of Standards and Technology (NIST) has issued an initial public draft standard for improving risk management of information systems and assets. Specifically, the standard requires a two-step process:

* First, Federal agencies must categorize information on their computing assets. The publication, ‘Guide for Mapping Types of Information and Information Systems to Security Categories’, includes:
1. Types of Information: for example, financial, medical, proprietary, trade secret, investigative; and
2. Types of Information Systems: covering mission critical, mission support, and administrative.

* Second, once the assets have been categorized, agencies must consider the impact of a disruption, based on three levels: low, moderate, and high. This analysis provides essential information for program and security managers, who are charged with creating appropriate risk management programs.

This standard includes a separate section on critical infrastructures owned or operated by the Federal government. The draft standard recommends that agencies pay "particularly close attention" when the mission is served by an information system that could affect the functioning of a critical infrastructure. In addition, similar diligence is required when compromise of the information alone could adversely affect a critical infrastructure.

The standard, which NIST produced in accordance with the E-government Act of 2002, applies only to Federal civilian agencies.

Source: Zeichner Risk Assessment Newsletter. To subscribe to this weekly newsletter, click here.

•Date: 6th January 2004 •Region: N.America •Type: Article •Topic: BC general
Rate this article or make a comment - click here