IS3550 Final Project
1.0 INTRODUCTION
The purpose of this paper is to develop an information security policy that defines the requirements to make our organization's computer network compliant with National Institute of Standards and Technology (NIST) Security Standards. NIST regulations and instructions were reviewed in order to develop the requirements that are stated in this policy. The source documents used can be found in the references section.
2.0 COMPLIANCE LAWS
The Federal Acquisition Regulation (FAR), issued by the Department of Defense, guides the content of military contracts. Federal government organizations other than the military and intelligence agencies must follow the Federal Information Security Management Act of 2002. Federal Information Processing Standards (FIPS) 200, "Minimum Security Requirements for Federal Information and Information Systems," defines the minimum security requirements that information systems must meet. While the military does not have to follow FISMA, they do enact the security policies contained in the act. The military also implements the security controls found in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems; and NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations. NIST SP 800-53, Appendix F, contains the Security Control Catalog. There is currently no specific law directing the information security policy content for defense contractors. However, Congress is proposing to make the policies in FISMA and the security controls in NIST SP 800-53 applicable to contractors that are awarded military contracts. Information Assurance Implementation, DoD Instruction 8500.2, states the computer network security controls required to be implemented in military computer networks (Enclosure 4, Attachments 1 thru 5). The other references noted in this paper give broad
The purpose of this paper is to develop an information security policy that defines the requirements to make our organization's computer network compliant with National Institute of Standards and Technology (NIST) Security Standards. NIST regulations and instructions were reviewed in order to develop the requirements that are stated in this policy. The source documents used can be found in the references section.
2.0 COMPLIANCE LAWS
The Federal Acquisition Regulation (FAR), issued by the Department of Defense, guides the content of military contracts. Federal government organizations other than the military and intelligence agencies must follow the Federal Information Security Management Act of 2002. Federal Information Processing Standards (FIPS) 200, "Minimum Security Requirements for Federal Information and Information Systems," defines the minimum security requirements that information systems must meet. While the military does not have to follow FISMA, they do enact the security policies contained in the act. The military also implements the security controls found in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems; and NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations. NIST SP 800-53, Appendix F, contains the Security Control Catalog. There is currently no specific law directing the information security policy content for defense contractors. However, Congress is proposing to make the policies in FISMA and the security controls in NIST SP 800-53 applicable to contractors that are awarded military contracts. Information Assurance Implementation, DoD Instruction 8500.2, states the computer network security controls required to be implemented in military computer networks (Enclosure 4, Attachments 1 thru 5). The other references noted in this paper give broad