Hello, and welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.

Today we are continuing the series on the National Institute of Standards and Technology, otherwise referred to as NIST. Up to this point, with the whole NIST series of TomCasts, there has been a presumption of information security knowledge. What about those of you out there that are new to the field, or are poking around for a possible new career field? Well, believe it or not, there is a NIST publication for that. It is the Special Publication 800-12 revision 2, the Introduction to Information Security.

Now, this publication is a tad bit older than the ones we have been discussing; this was last revised back in 2017. While many things have obviously changed in technology and the information security realm since then, the concepts still remain true. This is a shorter publication, coming in at 91 pages overall. The main content goes through page 70, with the customary NIST appendices following the main body of content. This discusses the risk-based approach to security, so that is a definite plus here.

Straight out of section 1.3, the publication is organized in the following manner:

  • Chapter 1 describes the purpose, target audience, important terms, the legal foundation for information security, and a list of NIST publications related to information security and information risk management.
  • Chapter 2 lists eight major elements regarding information security.
  • Chapter 3 outlines several roles, supporting roles, and the respective responsibilities attributed to those roles on providing information security to the organization.
  • Chapter 4 introduces threats and vulnerabilities, distinguishes the difference between the two, and provides examples of different threat sources and events.
  • Chapter 5 discusses information security policy and the differences between Program Policy, Issue-Specific Policy, and System-Specific Policy.
  • Chapter 6 considers how to manage risk and briefly describes the six steps of the NIST Risk Management Framework (RMF).
  • Chapter 7 focuses on information assurance and what measures can be taken to protect information and systems.
  • Chapter 8 introduces system support and operations, which collectively function to run a system.
  • Chapter 9 provides a brief overview of cryptography as well as several NIST 800-series Publications that contain additional, more detailed information on specific cryptographic technologies.
  • Chapter 10 introduces the 20 information security and privacy control families.

So, as you can see, it is laid out in a way that is progressive across the information security field, providing useful information that builds on what was learned in the previous chapters. For those that are brand new to information security, this can be an excellent guide to the various aspects of the field. For more seasoned individuals in the career path, this can be a refresher in many different areas, and can provide some insight into parts of the career that perhaps one isn’t involved with.

Think of the cybersecurity field; cybersecurity is a massive umbrella term that covers a vast arena within information technology. If you specialize in vulnerability management, you may not have been exposed to cryptography, or specific security controls. If you are a cyber warrior on the wire, perhaps the various roles and responsibilities of the information security field are rather new. If you are focused on policy, then the previous two areas would be somewhat unknown. This document can introduce those other areas of the field to you.

Chapter 10 is especially useful for those supporting local, state, or federal government clients that are driven by compliance. Why? Because that chapter helps the reader understand security control families, what they are, what they protect, and why. Knowing that information can better arm an analyst with the knowledge necessary to see if an organizational strategy does, in fact, meet the requirements of specific security controls or if some security controls simply don’t apply.

So, once again, open up your preferred browser, utilize your preferred search engine, and look for NIST 800-12 revision 2. Give it a dedicated read and learn more about the information security field. You’ll be glad you did!

We here at GuardSight thank you for taking the time to listen to this TomCast. For more information on various cybersecurity tips head on over to our website and check out more TomCasts. Those are located over on www.guardsight.com/tomcast. Or, if you would like more information on what GuardSight can do for you, head on over to www.guardsight.com and contact us. There are several free cybersecurity tools out there that can help you improve your overall security posture. We’d love to hear from you! Thanks!