"Today’s information systems are incredibly complex assemblages of hardware, software, firmware, and people, all working together to provide organizations with the capability to process, store, and transmit information on a timely basis to support various organizational missions and business functions. The degree to which organizations have come to depend upon these information systems to conduct routine and critical missions and business functions means that the protection of the underlying systems is paramount to the success of the organization. The selection of appropriate security controls for an information system is an important task that can have major implications on the operations and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity (including non-repudiation and authenticity), and availability of the system and its information. Once employed within an information system, security controls are assessed to provide the information necessary to determine their overall effectiveness; that is, the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Understanding the overall effectiveness of the security controls implemented in the information system is essential in determining the risk to the organization’s operations and assets, to individuals, to other organizations, and to the nation resulting from the use of the system.
... so starts the latest and greatest draft of NIST SP 800-53A "Guide for Assessing the Security Controls in Federal Information Systems - Building Effective Security Assessment Plans". What a neat way to sum up the whole of information security in just one paragraph!
The standard essentially comprises a large audit checklist for checking a broad range of information security controls against good practice advice in NIST SP 800-53, FIPS 200 and other standards (including ISO27k), topped-and-tailed with background/context, explanation, glossary and references. Being a typical NIST SP, it is well-written and comprehensive.
NIST is seeking feedback on the draft. I'm currently skimming my copy and scribbling a few notes while eating my lunch 'al desco'. We have until the end of July to respond but I'm sure project leader Ron Ross would appreciate comments sooner rather than later.