Implementation of the process approach to managing risks of information security in the NIST documents

Abstract

The methodological foundations of activity of the National Institute of Standards and Technology of the United States (NIST) are explored. The focus is on the process approach to developing recommendations, manuals, guidelines, framework documents. The principles established by such documents direct the activities of organizations to manage information security risks. In this article analyzes methodical documents on information security, cyber security and computer security aimed to help select a set of security control measures. In particular, this analysis relates to such stages of work of the protection of information. First, the classification of information and information systems. Secondly, the application of the basic rules relating to organizational measures for information protection. Thirdly, it is the implementation of selective control measures of protection, which are appropriate and adequate to a certain information system. The explored methodical documents NIST provides practical advices to specialists in information protection for decrease the risks of information security. The use of the methodical documents NIST in the United States is mandatory for government agencies and organizations. The security system developed on their basis is aimed at reducing the security risks of information and information systems for any organizations, and not only the state form of ownership. The proposed basic protection measures can be adapted for practical application with minor modifications. Creating an effective, individual, integrated system of information security is an important task, which is based on the process of managing information security risks. The security system will save both the profitability of the organization and its reputation by reducing the risks of information security.