Information Security Publication Comparison

By | November 25, 2016
guidelines

Information Security Publication Comparison

Chart comparing major sections of the USPS Handbook AS-805 – Information Security to NIST Special Publications; 800-12, 800-14, 800-18, 800-26, and 800-30.

Handbook AS-805 – Information Security (USPS, 2015) NIST Special Publications
Introduction: Corporate Information Security Generally Accepted System Security Principles (NIST SP 800-14)
Security Roles and Responsibilities System Security Plan Responsibilities (NIST SP 800-18),  (NIST SP 800-14)
Information Designation and Control Generally Accepted System Security Principles (NIST SP 800-14)
Security Risk Management Guide for Conducting Risk Assessments. (NIST SP 800-30) (NIST SP 800-14)
Acceptable Use Generally Accepted System Security Principles (NIST SP 800-14)
Personnel Security Generally Accepted System Security Principles (NIST SP 800-14)
Physical and Environmental Security 3.10 Physical and Environmental Security (NIST SP 800-14), Physical and Environmental Security (NIST SP 800-12),
Development and Operations Security 1.5 Major Applications, General Support Systems, and Minor Applications (NIST SP 800-18), 3.9 Security Considerations in Computer Support and Operations (NIST SP 800-14)
Information Security Services 3.14 Minimum Security Controls (NIST SP 800-18)
Hardware and Software Security Several chapters (NIST SP 800-14)
Network Security 2.3 General Support Systems (NIST SP 800-18) Management Control (NIST SP 800-12)
Business Continuity Management 3.6 Preparing for Contingencies and Disasters (NIST SP 800-14),
Security Incident Management 12.0 Computer Security Incident Handling (NIST SP 800-12), 3.7 Computer Security Incident Handling (NIST SP 800-14)
Security Compliance and Monitoring 3.16 Ongoing System Security Plan Maintenance (NIST SP 800-18)

 

Chart comparing the ISO/IEC 27002 with NIST Publications

ISO27002 (Praxiom web, 2013) NIST 800-12 NIST 800-14 NIST 800-18 NIST 800-26 NIST 800-30
Security Policy Management Covered. NIST is more of an overview Covers many aspects such as security program management. Covered. Both cover same aspects. Not directly covered. Program management briefly covered. Not covered
Corporate Security Management Covered. NIST is more of an overview Covered in depth. Covers duties and responsibilities. Not covered Not covered
Personal Security Management Covers personnel/user issues Both cover same aspects Not covered Covered only as a checklist item Not covered
Organizational Asset Management Covered Not covered Not Covered Covered Not Covered
Information Access Management Covered Chapter 17 Covered Chapter 3 Not covered Not covered Not covered
Cryptography Policy Management Covered Chapter 19 Covered briefly Chapter 3.14 Not covered Not covered Not covered
Physical Security Management Covered Chapter 15 Covered Chapter 3.10 Not covered Not covered Not Covered
Operational Security Management Covered Covered. ISO 27002 offers more detail Covered Covered Covered
Network Security Management Covered only as a control Covered only as a system Not covered Not covered Not covered
System Security Management Not covered Not covered Covered Chapter 2.3 Covered Chapter 3.1.2 Not covered
Supplier Relationship Management Covered as overview Chapter 10 Not covered Not covered Not covered Not covered
Security Incident Management Covered in detail 11 & 12

 

Covered Chapter 3.7 Not covered Not covered Covers threat events and response
Security Continuity Management Not covered Covers security reassessment Covered Chapter 3.16 Covered Chapter 4.3.1 Covers assessment cycle
Security Compliance Management Covered Chapter 6 Covers as part of policy Covered Chapter 3.12 Covers compliance reviews Covered

 

References

Gallagher, P. D. (2012). Guide for Conducting Risk Assessments. NIST SP 800-30. Retrieved February 4, 2016 from, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

Guttman, B., & Roback, E. A. (1995). An Introduction to Computer Security: The NIST Handbook. NIST SP 800-12. Retrieved February 4, 2016 from, http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf

Praxiom web. (2013). ISO IEC 27002 2013 Information Security in Plain English. Retrieved February 05, 2016, from http://www.praxiom.com/iso-27002.htm

Swanson, M. (2001). Security Self-Assessment Guide for Information Technology Systems. NIST SP 800-26. Retrieved February 4, 2016 from, http://csrc.nist.gov/groups/SMA/fisma/documents/Status-of-NIST-SP-800-26_v2.pdf

Swanson, M., & Guttman, B. (1996). Generally Accepted Principles and Practices for Securing Information Technology Systems. NIST SP 800-14. Retrieved February 4, 2016 from, http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf

Swanson, M., Hash, J., & Bowen, P. (2006). Guide for Developing Security Plans for Federal Information Systems. NIST SP 800-18. Retrieved February 4, 2016 from, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf

USPS. (2015, May). Handbook AS-805 – Information Security. Retrieved February 04, 2016,  from https://about.usps.com/handbooks/as805/welcome.htm

 

Disclaimer

Leave a Reply

Your email address will not be published. Required fields are marked *