Information Security Publication Comparison
Information Security Publication Comparison
Chart comparing major sections of the USPS Handbook AS-805 – Information Security to NIST Special Publications; 800-12, 800-14, 800-18, 800-26, and 800-30.
| Handbook AS-805 – Information Security (USPS, 2015) | NIST Special Publications |
| Introduction: Corporate Information Security | Generally Accepted System Security Principles (NIST SP 800-14) |
| Security Roles and Responsibilities | System Security Plan Responsibilities (NIST SP 800-18), (NIST SP 800-14) |
| Information Designation and Control | Generally Accepted System Security Principles (NIST SP 800-14) |
| Security Risk Management | Guide for Conducting Risk Assessments. (NIST SP 800-30) (NIST SP 800-14) |
| Acceptable Use | Generally Accepted System Security Principles (NIST SP 800-14) |
| Personnel Security | Generally Accepted System Security Principles (NIST SP 800-14) |
| Physical and Environmental Security | 3.10 Physical and Environmental Security (NIST SP 800-14), Physical and Environmental Security (NIST SP 800-12), |
| Development and Operations Security | 1.5 Major Applications, General Support Systems, and Minor Applications (NIST SP 800-18), 3.9 Security Considerations in Computer Support and Operations (NIST SP 800-14) |
| Information Security Services | 3.14 Minimum Security Controls (NIST SP 800-18) |
| Hardware and Software Security | Several chapters (NIST SP 800-14) |
| Network Security | 2.3 General Support Systems (NIST SP 800-18) Management Control (NIST SP 800-12) |
| Business Continuity Management | 3.6 Preparing for Contingencies and Disasters (NIST SP 800-14), |
| Security Incident Management | 12.0 Computer Security Incident Handling (NIST SP 800-12), 3.7 Computer Security Incident Handling (NIST SP 800-14) |
| Security Compliance and Monitoring | 3.16 Ongoing System Security Plan Maintenance (NIST SP 800-18) |
Chart comparing the ISO/IEC 27002 with NIST Publications
| ISO27002 (Praxiom web, 2013) | NIST 800-12 | NIST 800-14 | NIST 800-18 | NIST 800-26 | NIST 800-30 |
| Security Policy Management | Covered. NIST is more of an overview | Covers many aspects such as security program management. | Covered. Both cover same aspects. | Not directly covered. Program management briefly covered. | Not covered |
| Corporate Security Management | Covered. NIST is more of an overview | Covered in depth. | Covers duties and responsibilities. | Not covered | Not covered |
| Personal Security Management | Covers personnel/user issues | Both cover same aspects | Not covered | Covered only as a checklist item | Not covered |
| Organizational Asset Management | Covered | Not covered | Not Covered | Covered | Not Covered |
| Information Access Management | Covered Chapter 17 | Covered Chapter 3 | Not covered | Not covered | Not covered |
| Cryptography Policy Management | Covered Chapter 19 | Covered briefly Chapter 3.14 | Not covered | Not covered | Not covered |
| Physical Security Management | Covered Chapter 15 | Covered Chapter 3.10 | Not covered | Not covered | Not Covered |
| Operational Security Management | Covered | Covered. ISO 27002 offers more detail | Covered | Covered | Covered |
| Network Security Management | Covered only as a control | Covered only as a system | Not covered | Not covered | Not covered |
| System Security Management | Not covered | Not covered | Covered Chapter 2.3 | Covered Chapter 3.1.2 | Not covered |
| Supplier Relationship Management | Covered as overview Chapter 10 | Not covered | Not covered | Not covered | Not covered |
| Security Incident Management | Covered in detail 11 & 12
|
Covered Chapter 3.7 | Not covered | Not covered | Covers threat events and response |
| Security Continuity Management | Not covered | Covers security reassessment | Covered Chapter 3.16 | Covered Chapter 4.3.1 | Covers assessment cycle |
| Security Compliance Management | Covered Chapter 6 | Covers as part of policy | Covered Chapter 3.12 | Covers compliance reviews | Covered |
References
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
http://www.praxiom.com/iso-27002.htm
https://csrc.nist.gov/publications/detail/sp/800-12/archive/1995-10-02
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf
https://about.usps.com/handbooks/as805/welcome.htm
Additional Articles
Bring Your Own Device (BYOD) Policies and Practices
The Governance of Cloud-Based Systems
Cloud Computing Models -SaaS, PaaS, IaaS
Exploring the Implications of Artificial Intelligence
Artificial Intelligence in Texas Higher Education: Ethical Considerations, Privacy, and Security
