[127443] in North American Network Operators' Group
RE: Sources of network security templates or designs
daemon@ATHENA.MIT.EDU (Sean Donelan)
Tue Jun 29 08:45:55 2010
Date: Tue, 29 Jun 2010 08:45:39 -0400 (EDT)
From: Sean Donelan <sean@donelan.com>
To: "Tomas L. Byrnes" <tomb@byrneit.net>
In-Reply-To: <72F9A69DCF990443B2CEC064E605CE060857CA@Pascal.zaphodb.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Sat, 26 Jun 2010, Tomas L. Byrnes wrote:
> While the DISA STIGs are probably the archetype, you have to start with
> whatever the sponsoring or certifying authority uses, if you need to
> pass some audit later.
True, but even sponsoring and certifying authorities need to get
information from somewhere. So where should they get it from?
For example, amex/mastercard/visa/others created PCI security standards;
and if all you want to do is achieve compliance with those security
standards that's where you would stop. But where should the people
creating the PCI security standards look beyond their own world to find
better ideas to improve the next version? Replace "PCI" with whatever
your favorite group is... CAG, SOX, FDCC, etc.
> Those almost always reference NIST docs:
> http://www.nist.gov/itl/publications.cfm?defaultSearch=false&authorlist=
> &keywords=&topics=309&seriesName=&journalName=&datepicker1=&datepicker2=
> #
NIST documents are updated on a regular basis. If part of your job was
helping to update NIST documents, are there other resources to consider
when updating those documents?
Are there things in NIST documents you think could be improved?
> For generic sources, I agree with Cymru as a good resource, but my
> favorite is SANS.
>
> http://www.sans.org/reading_room/
