Publications
This draft has been retired (February 01, 2007).
Further development of this specific document was discontinued.
Guide for Information Technology Security Assessments and System Reporting Form
Documentation
Topics
Date Published: August 2005
Comments Due:
Email Questions to:
Planning Note (1/9/2018):
Draft SP 800-26 Rev. 1 was retired on 2/1/2007 and never went "final". See the SP 800-26 record for information on superseding publications.
Author(s)
Marianne Swanson (NIST), Joan Hash (NIST), Mark Wilson (NIST), Richard Kissel (NIST)
Announcement
The NIST Computer Security Division is pleased to announce for your review and comment draft NIST Special Publication 800-26 Revision 1, Guide for Information Security Program Assessments and System Reporting Form. This draft document brings the assessment process up to date with key standards and guidelines developed by NIST.
Agencies must plan for security, ensure that the appropriate officials are assigned security responsibility and trained accordingly, review security controls, and authorize system processing prior to operations and periodically thereafter. These management responsibilities presume that responsible agency officials understand the risks and other factors that could negatively impact their mission goals. Moreover, these officials must understand the current status of their information security program and system-level security controls in order to make informed judgments and investments that appropriately mitigate risks to an acceptable level.
An assessment is one method agency officials can employ to help determine the current status of their information systems and agency-wide information security program. Ideally, assessments of selected security controls on an ongoing basis should be conducted to systematically identify programmatic weaknesses and where necessary, establish targets for continuing improvement. This document provides a standardized form for reporting the results of system-level assessments and a method for evaluating the effectiveness of an agency information security program. Additionally, the document provides guidance on utilizing the results of the information security program and system assessments to ascertain the status of the agency-wide information security program.
Agencies must plan for security, ensure that the appropriate officials are assigned security responsibility and trained accordingly, review security controls, and authorize system processing prior to operations and periodically thereafter. These management responsibilities presume that responsible...
See full abstract
Agencies must plan for security, ensure that the appropriate officials are assigned security responsibility and trained accordingly, review security controls, and authorize system processing prior to operations and periodically thereafter. These management responsibilities presume that responsible agency officials understand the risks and other factors that could negatively impact their mission goals. Moreover, these officials must understand the current status of their information security program and system-level security controls in order to make informed judgments and investments that appropriately mitigate risks to an acceptable level.
An assessment is one method agency officials can employ to help determine the current status of their information systems and agency-wide information security program. Ideally, assessments of selected security controls on an ongoing basis should be conducted to systematically identify programmatic weaknesses and where necessary, establish targets for continuing improvement. This document provides a standardized form for reporting the results of system-level assessments and a method for evaluating the effectiveness of an agency information security program. Additionally, the document provides guidance on utilizing the results of the information security program and system assessments to ascertain the status of the agency-wide information security program.
Hide full abstract
Keywords
information security program assessment; security controls; system assessments
Control Families
None selected
Documentation
Publication:
Draft SP 800-26 Rev. 1
Supplemental Material:
None available
Related NIST Publications:
SP 800-26
Document History:
08/15/05: SP 800-26 Rev. 1 (Draft)