Information Security Publication Comparison
Chart comparing major sections of the USPS Handbook AS-805 – Information Security to NIST Special Publications; 800-12, 800-14, 800-18, 800-26, and 800-30.
| Handbook AS-805 – Information Security (USPS, 2015) | NIST Special Publications |
| Introduction: Corporate Information Security | Generally Accepted System Security Principles (NIST SP 800-14) |
| Security Roles and Responsibilities | System Security Plan Responsibilities (NIST SP 800-18), (NIST SP 800-14) |
| Information Designation and Control | Generally Accepted System Security Principles (NIST SP 800-14) |
| Security Risk Management | Guide for Conducting Risk Assessments. (NIST SP 800-30) (NIST SP 800-14) |
| Acceptable Use | Generally Accepted System Security Principles (NIST SP 800-14) |
| Personnel Security | Generally Accepted System Security Principles (NIST SP 800-14) |
| Physical and Environmental Security | 3.10 Physical and Environmental Security (NIST SP 800-14), Physical and Environmental Security (NIST SP 800-12), |
| Development and Operations Security | 1.5 Major Applications, General Support Systems, and Minor Applications (NIST SP 800-18), 3.9 Security Considerations in Computer Support and Operations (NIST SP 800-14) |
| Information Security Services | 3.14 Minimum Security Controls (NIST SP 800-18) |
| Hardware and Software Security | Several chapters (NIST SP 800-14) |
| Network Security | 2.3 General Support Systems (NIST SP 800-18) Management Control (NIST SP 800-12) |
| Business Continuity Management | 3.6 Preparing for Contingencies and Disasters (NIST SP 800-14), |
| Security Incident Management | 12.0 Computer Security Incident Handling (NIST SP 800-12), 3.7 Computer Security Incident Handling (NIST SP 800-14) |
| Security Compliance and Monitoring | 3.16 Ongoing System Security Plan Maintenance (NIST SP 800-18) |
Chart comparing the ISO/IEC 27002 with NIST Publications
| ISO27002 (Praxiom web, 2013) | NIST 800-12 | NIST 800-14 | NIST 800-18 | NIST 800-26 | NIST 800-30 |
| Security Policy Management | Covered. NIST is more of an overview | Covers many aspects such as security program management. | Covered. Both cover same aspects. | Not directly covered. Program management briefly covered. | Not covered |
| Corporate Security Management | Covered. NIST is more of an overview | Covered in depth. | Covers duties and responsibilities. | Not covered | Not covered |
| Personal Security Management | Covers personnel/user issues | Both cover same aspects | Not covered | Covered only as a checklist item | Not covered |
| Organizational Asset Management | Covered | Not covered | Not Covered | Covered | Not Covered |
| Information Access Management | Covered Chapter 17 | Covered Chapter 3 | Not covered | Not covered | Not covered |
| Cryptography Policy Management | Covered Chapter 19 | Covered briefly Chapter 3.14 | Not covered | Not covered | Not covered |
| Physical Security Management | Covered Chapter 15 | Covered Chapter 3.10 | Not covered | Not covered | Not Covered |
| Operational Security Management | Covered | Covered. ISO 27002 offers more detail | Covered | Covered | Covered |
| Network Security Management | Covered only as a control | Covered only as a system | Not covered | Not covered | Not covered |
| System Security Management | Not covered | Not covered | Covered Chapter 2.3 | Covered Chapter 3.1.2 | Not covered |
| Supplier Relationship Management | Covered as overview Chapter 10 | Not covered | Not covered | Not covered | Not covered |
| Security Incident Management | Covered in detail 11 & 12
| Covered Chapter 3.7 | Not covered | Not covered | Covers threat events and response |
| Security Continuity Management | Not covered | Covers security reassessment | Covered Chapter 3.16 | Covered Chapter 4.3.1 | Covers assessment cycle |
| Security Compliance Management | Covered Chapter 6 | Covers as part of policy | Covered Chapter 3.12 | Covers compliance reviews | Covered |
References
Gallagher, P. D. (2012). Guide for Conducting Risk Assessments. NIST SP 800-30. Retrieved February 4, 2016 from, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Guttman, B., & Roback, E. A. (1995). An Introduction to Computer Security: The NIST Handbook. NIST SP 800-12. Retrieved February 4, 2016 from, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf
Praxiom web. (2013). ISO IEC 27002 2013 Information Security in Plain English. Retrieved February 05, 2016, from http://www.praxiom.com/iso-27002.htm
Swanson, M. (2001). Security Self-Assessment Guide for Information Technology Systems. NIST SP 800-26. Retrieved February 4, 2016 from, http://csrc.nist.gov/groups/SMA/fisma/documents/Status-of-NIST-SP-800-26_v2.pdf
Swanson, M., & Guttman, B. (1996). Generally Accepted Principles and Practices for Securing Information Technology Systems. NIST SP 800-14. Retrieved February 4, 2016 from, http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
Swanson, M., Hash, J., & Bowen, P. (2006). Guide for Developing Security Plans for Federal Information Systems. NIST SP 800-18. Retrieved February 4, 2016 from, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf
USPS. (2015, May). Handbook AS-805 – Information Security. Retrieved February 04, 2016, from https://about.usps.com/handbooks/as805/welcome.htm
