Compiling the Needed Documentation
With knowledge of the organization’s critical systems, you can now turn your attention to directing the team to draw up lists of required documents for review. Several standards clearly define and delineate required security policies. These include ISO 17799, NIST 800-26, and the NSA IAM. Our favorite of the three is the NSA IAM. The NSA revised this list in 2003 to closely match NIST documentation. Unlike the NIST standards, which separate policies into 17 classes of information, the NSA has expanded this to 18. These are divided into the same three categories as used by NIST: management, technical, and operational. All 18 categories are shown in Table 5.1.
Get Inside Network Security Assessment: Guarding Your IT Infrastructure now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
