[Global_industry_committee] NIST doco we should review & comment on

Georg Heß georg.hess at artofdefence.com
Fri Feb 27 08:46:40 EST 2009


Hi Rex,

thank you for taking on the role as a project manager.

I do very much support the idea to invite the general OWASP population -
in particular all people with more experience with the US Federal sector
 than me...

Best,
Georg


-- 
Dr. Georg Hess (CEO) - georg.hess at artofdefence.com
T:+49 (0)941 604 889 58  M:+49 (0)170 575 3154  F:+49 (0)941 604 889 837

art of defence GmbH, Bruderwöhrdstr 15b, 93055 Regensburg, Germany
------------------------------------------------------------------------
Amtsgericht Regensburg HRB 9708
Geschäftsführer:
Dr. Georg Heß, Alexander Meisel
------------------------------------------------------------------------

Rex Booth wrote:
> Okay gents - let's tackle this in earnest.
> 
> As David and Colin mentioned, this is THE document that drives IT 
> compliance in the US Federal sector, so we want to be involved as much 
> as possible.  I'd like to gauge two things:
> 
> 1) Who on the industry committee can dedicate time to this (comments are 
> due March 27, though we should aim to be done about a week in advance of 
> that)
> 
> 2) Are we collectively interested in inviting others outside this 
> committee into the review process?
> 
> I'm happy to step in as a project manager of sorts on this effort.  I 
> also think we should invite the general OWASP population to contribute.
> 
> Thoughts?
> 
> Thanks,
> Rex
> 
> 
> 
> David Campbell wrote:
>> Colin,
>>
>> I agree that asking for comments from *.leaders would be messy++.
>>
>> Does google docs give us a broader "track changes" ability that we could
>> limit to the people who have the time and energy to put thoughtful
>> comments into this?
>>
>> FYI NIST 800-53 is *the* document that currently drives the *entire*
>> compliance programs for most US federal agencies, so we must *not* miss
>> this deadline.
>>
>> I'll jump back on this thread as soon as I have time but I likely will
>> have zero time for the industry committee until after 6 March due to
>> 'real work' and the Colorado OWASP conf.
>>
>> DC
>>
>>
>> Colin Watson wrote:
>>   
>>> Hi David and Rex
>>>
>>>   
>>>     
>>>> At this point I don't have the bandwidth to be a lead on this.  Perhaps
>>>> Rex can step up, or per Tom's suggestion we send a request to the
>>>> Leaders list for help.  This i big one, and shouldn't be ignored.
>>>>     
>>>>       
>>> Yes, that would be a good idea.  What would be the best way to manage
>>> this?  We could easily be inundated with comments and suggestions from
>>> the Leadership list.  If it's by email, it will be difficult to deal
>>> with.
>>>
>>> Would it be worth dividing the document up into sections and asking
>>> people on the Leadership list if they would like to volunteer to draft
>>> a suggested response for sections they are particularly interested in,
>>> publish this on the wiki as a draft and then be a point of contact for
>>> feedback?
>>>
>>> The contents list is:
>>>
>>> CHAPTER ONE INTRODUCTION
>>>
>>> 1.1 PURPOSE AND APPLICABILITY
>>> 1.2 TARGET AUDIENCE
>>> 1.3 RELATIONSHIP TO OTHER SECURITY CONTROL PUBLICATIONS
>>> 1.4 ORGANIZATIONAL RESPONSIBILITIES
>>> 1.5 ORGANIZATION OF THIS SPECIAL PUBLICATION
>>>
>>> CHAPTER TWO THE FUNDAMENTALS
>>>
>>> 2.1 SECURITY CONTROL ORGANIZATION AND STRUCTURE
>>> 2.2 SECURITY CONTROL BASELINES
>>> 2.3 COMMON CONTROLS
>>> 2.4 SECURITY CONTROLS IN EXTERNAL ENVIRONMENTS
>>> 2.5 SECURITY CONTROL ASSURANCE
>>> 2.6 REVISIONS AND EXTENSIONS
>>>
>>> CHAPTER THREE THE PROCESS
>>>
>>> 3.1 MANAGING RISK
>>> 3.2 CATEGORIZING THE INFORMATION SYSTEM
>>> 3.3 SELECTING SECURITY CONTROLS
>>> 3.4 MONITORING SECURITY CONTROLS
>>>
>>> APPENDIX A REFERENCES
>>> APPENDIX B GLOSSARY
>>> APPENDIX C ACRONYMS
>>> APPENDIX D SECURITY CONTROL BASELINES – SUMMARY
>>> APPENDIX E MINIMUM ASSURANCE REQUIREMENTS
>>> APPENDIX F SECURITY CONTROL CATALOG
>>> APPENDIX G INFORMATION SECURITY PROGRAMS
>>> APPENDIX H INTERNATIONAL INFORMATION SECURITY STANDARDS
>>> APPENDIX I INDUSTRIAL CONTROL SYSTEMS
>>>
>>> If we go this way, does anyone on this list want to select a section
>>> for themselves?
>>>
>>> Regards
>>>
>>> Colin
>>> _______________________________________________
>>> Global_industry_committee mailing list
>>> Global_industry_committee at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>>   
>>>     
>> _______________________________________________
>> Global_industry_committee mailing list
>> Global_industry_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_industry_committee
>>   
> _______________________________________________
> Global_industry_committee mailing list
> Global_industry_committee at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/global_industry_committee
> 


More information about the Global_industry_committee mailing list