[Global_industry_committee] NIST doco we should review & comment on
rex.booth at owasp.org
Fri Feb 27 05:38:01 EST 2009
Okay gents - let's tackle this in earnest.
As David and Colin mentioned, this is THE document that drives IT
compliance in the US Federal sector, so we want to be involved as much
as possible. I'd like to gauge two things:
1) Who on the industry committee can dedicate time to this (comments are
due March 27, though we should aim to be done about a week in advance of
2) Are we collectively interested in inviting others outside this
committee into the review process?
I'm happy to step in as a project manager of sorts on this effort. I
also think we should invite the general OWASP population to contribute.
David Campbell wrote:
> I agree that asking for comments from *.leaders would be messy++.
> Does google docs give us a broader "track changes" ability that we could
> limit to the people who have the time and energy to put thoughtful
> comments into this?
> FYI NIST 800-53 is *the* document that currently drives the *entire*
> compliance programs for most US federal agencies, so we must *not* miss
> this deadline.
> I'll jump back on this thread as soon as I have time but I likely will
> have zero time for the industry committee until after 6 March due to
> 'real work' and the Colorado OWASP conf.
> Colin Watson wrote:
>> Hi David and Rex
>>> At this point I don't have the bandwidth to be a lead on this. Perhaps
>>> Rex can step up, or per Tom's suggestion we send a request to the
>>> Leaders list for help. This i big one, and shouldn't be ignored.
>> Yes, that would be a good idea. What would be the best way to manage
>> this? We could easily be inundated with comments and suggestions from
>> the Leadership list. If it's by email, it will be difficult to deal
>> Would it be worth dividing the document up into sections and asking
>> people on the Leadership list if they would like to volunteer to draft
>> a suggested response for sections they are particularly interested in,
>> publish this on the wiki as a draft and then be a point of contact for
>> The contents list is:
>> CHAPTER ONE INTRODUCTION
>> 1.1 PURPOSE AND APPLICABILITY
>> 1.2 TARGET AUDIENCE
>> 1.3 RELATIONSHIP TO OTHER SECURITY CONTROL PUBLICATIONS
>> 1.4 ORGANIZATIONAL RESPONSIBILITIES
>> 1.5 ORGANIZATION OF THIS SPECIAL PUBLICATION
>> CHAPTER TWO THE FUNDAMENTALS
>> 2.1 SECURITY CONTROL ORGANIZATION AND STRUCTURE
>> 2.2 SECURITY CONTROL BASELINES
>> 2.3 COMMON CONTROLS
>> 2.4 SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS
>> 2.5 SECURITY CONTROL ASSURANCE
>> 2.6 REVISIONS AND EXTENSIONS
>> CHAPTER THREE THE PROCESS
>> 3.1 MANAGING RISK
>> 3.2 CATEGORIZING THE INFORMATION SYSTEM
>> 3.3 SELECTING SECURITY CONTROLS
>> 3.4 MONITORING SECURITY CONTROLS
>> APPENDIX A REFERENCES
>> APPENDIX B GLOSSARY
>> APPENDIX C ACRONYMS
>> APPENDIX D SECURITY CONTROL BASELINES – SUMMARY
>> APPENDIX E MINIMUM ASSURANCE REQUIREMENTS
>> APPENDIX F SECURITY CONTROL CATALOG
>> APPENDIX G INFORMATION SECURITY PROGRAMS
>> APPENDIX H INTERNATIONAL INFORMATION SECURITY STANDARDS
>> APPENDIX I INDUSTRIAL CONTROL SYSTEMS
>> If we go this way, does anyone on this list want to select a section
>> for themselves?
>> Global_industry_committee mailing list
>> Global_industry_committee at lists.owasp.org
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
More information about the Global_industry_committee