[Global_industry_committee] NIST doco we should review & comment on

David Campbell dcampbell at owasp.org
Mon Feb 16 22:24:38 EST 2009


Colin,

I agree that asking for comments from *.leaders would be messy++.

Does google docs give us a broader "track changes" ability that we could
limit to the people who have the time and energy to put thoughtful
comments into this?

FYI NIST 800-53 is *the* document that currently drives the *entire*
compliance programs for most US federal agencies, so we must *not* miss
this deadline.

I'll jump back on this thread as soon as I have time but I likely will
have zero time for the industry committee until after 6 March due to
'real work' and the Colorado OWASP conf.

DC


Colin Watson wrote:
> Hi David and Rex
>
>   
>> At this point I don't have the bandwidth to be a lead on this.  Perhaps
>> Rex can step up, or per Tom's suggestion we send a request to the
>> Leaders list for help.  This i big one, and shouldn't be ignored.
>>     
>
> Yes, that would be a good idea.  What would be the best way to manage
> this?  We could easily be inundated with comments and suggestions from
> the Leadership list.  If it's by email, it will be difficult to deal
> with.
>
> Would it be worth dividing the document up into sections and asking
> people on the Leadership list if they would like to volunteer to draft
> a suggested response for sections they are particularly interested in,
> publish this on the wiki as a draft and then be a point of contact for
> feedback?
>
> The contents list is:
>
> CHAPTER ONE INTRODUCTION
>
> 1.1 PURPOSE AND APPLICABILITY
> 1.2 TARGET AUDIENCE
> 1.3 RELATIONSHIP TO OTHER SECURITY CONTROL PUBLICATIONS
> 1.4 ORGANIZATIONAL RESPONSIBILITIES
> 1.5 ORGANIZATION OF THIS SPECIAL PUBLICATION
>
> CHAPTER TWO THE FUNDAMENTALS
>
> 2.1 SECURITY CONTROL ORGANIZATION AND STRUCTURE
> 2.2 SECURITY CONTROL BASELINES
> 2.3 COMMON CONTROLS
> 2.4 SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS
> 2.5 SECURITY CONTROL ASSURANCE
> 2.6 REVISIONS AND EXTENSIONS
>
> CHAPTER THREE THE PROCESS
>
> 3.1 MANAGING RISK
> 3.2 CATEGORIZING THE INFORMATION SYSTEM
> 3.3 SELECTING SECURITY CONTROLS
> 3.4 MONITORING SECURITY CONTROLS
>
> APPENDIX A REFERENCES
> APPENDIX B GLOSSARY
> APPENDIX C ACRONYMS
> APPENDIX D SECURITY CONTROL BASELINES – SUMMARY
> APPENDIX E MINIMUM ASSURANCE REQUIREMENTS
> APPENDIX F SECURITY CONTROL CATALOG
> APPENDIX G INFORMATION SECURITY PROGRAMS
> APPENDIX H INTERNATIONAL INFORMATION SECURITY STANDARDS
> APPENDIX I INDUSTRIAL CONTROL SYSTEMS
>
> If we go this way, does anyone on this list want to select a section
> for themselves?
>
> Regards
>
> Colin
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>   



More information about the Global_industry_committee mailing list