Widely recognized as the engine that drives the U.S. economy, information technology enables the vast majority of organizations to carry out their missions and business operations more efficiently and effectively. Along with their power and usefulness, however, information systems face serious man-made and natural threats that can adversely affect their associated organization's mission, operations, image and reputation. In order to provide guidelines for addressing these potential threats, the National Institute of Standards and Technology (NIST) has issued a draft of Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective, for public comment.
Risk management is a balancing act, requiring explicit management decisions that trade off the utility and convenience of modern information systems against the potential for serious harm if they are misused. Intended for individuals ranging from agency heads to system administrators, NIST's new guide outlines a top-level process for building and implementing a technically sound and effective information security program within an organization. It ties together various NIST computer security documents and when finalized, it will become the flagship document in a series of NIST documents related to FISMA—the Federal Information Security Management Act.
The draft document is available at http://csrc.nist.gov/publications/PubsDrafts.html. As with all NIST Special Publications, the public review process is an essential part of the document's development. The public comment period for the document is Oct. 29–Dec. 14, 2007. Comments may be submitted via electronic mail at sec-cert [at] nist.gov or via regular mail at 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930.