NIST Security Controls Version 4
This week the Computer Security Resource Center of the National Insitute of Standards and Technology for the United States of America released the fourth version of Security and Privacy Controls for Federal Information Systems and Organizations. Or more commonly known by the designation SP800-53. Through my career I've been a fan of the NIST Special Publications 800 series. Although the intended audience are the IT organizations of the USA federal government the publications are provided without copyright for use by any organization. I consider it a great free resource to buillding the basics of a security program no matter what industry you are in.
SP800-53 covers a pretty comprehensive catalog of security controls. All the expected categories are there from Access Control to System and Information Integrity. The catalog itself convers 233 pages and includes a handy reference table to link the controls to ISO/IEC 27001 Controls and ISO/IEC 15408 Requirements. What I find more interesting are the themes the authors used as the core of the changes for revision 4.
The controls and the attending implementation guidance are focused on the recent strategies within the USA Fed space around "Build it Right" and "Continuous Monitoring". I'm big fans of both, what security professional can argue against implenting appropriate controls before a system comes online? CM moves us away from the "checklist mentatlity" of security to a more intelligence focus to understand what is the current risk and security stance of an organziation in near real time.
Additionally there's a focus on not only controls to reduce security risk but controls to provide security assurance. The ability to measure effectivness and confidence in security controls is a core to continuous monitoring.
SP800-53 Rev. 4 is available for download at http://dx.doi.org/10.6028/NIST.SP.800-53r4. I'm sure security professionals of all levels will find something useful in there.