[Global_industry_committee] NIST doco we should review & comment on

Colin Watson colin.watson at owasp.org
Sat Feb 14 06:59:48 EST 2009


Hi David and Rex

> At this point I don't have the bandwidth to be a lead on this.  Perhaps
> Rex can step up, or per Tom's suggestion we send a request to the
> Leaders list for help.  This i big one, and shouldn't be ignored.

Yes, that would be a good idea.  What would be the best way to manage
this?  We could easily be inundated with comments and suggestions from
the Leadership list.  If it's by email, it will be difficult to deal
with.

Would it be worth dividing the document up into sections and asking
people on the Leadership list if they would like to volunteer to draft
a suggested response for sections they are particularly interested in,
publish this on the wiki as a draft and then be a point of contact for
feedback?

The contents list is:

CHAPTER ONE INTRODUCTION

1.1 PURPOSE AND APPLICABILITY
1.2 TARGET AUDIENCE
1.3 RELATIONSHIP TO OTHER SECURITY CONTROL PUBLICATIONS
1.4 ORGANIZATIONAL RESPONSIBILITIES
1.5 ORGANIZATION OF THIS SPECIAL PUBLICATION

CHAPTER TWO THE FUNDAMENTALS

2.1 SECURITY CONTROL ORGANIZATION AND STRUCTURE
2.2 SECURITY CONTROL BASELINES
2.3 COMMON CONTROLS
2.4 SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS
2.5 SECURITY CONTROL ASSURANCE
2.6 REVISIONS AND EXTENSIONS

CHAPTER THREE THE PROCESS

3.1 MANAGING RISK
3.2 CATEGORIZING THE INFORMATION SYSTEM
3.3 SELECTING SECURITY CONTROLS
3.4 MONITORING SECURITY CONTROLS

APPENDIX A REFERENCES
APPENDIX B GLOSSARY
APPENDIX C ACRONYMS
APPENDIX D SECURITY CONTROL BASELINES – SUMMARY
APPENDIX E MINIMUM ASSURANCE REQUIREMENTS
APPENDIX F SECURITY CONTROL CATALOG
APPENDIX G INFORMATION SECURITY PROGRAMS
APPENDIX H INTERNATIONAL INFORMATION SECURITY STANDARDS
APPENDIX I INDUSTRIAL CONTROL SYSTEMS

If we go this way, does anyone on this list want to select a section
for themselves?

Regards

Colin


More information about the Global_industry_committee mailing list