New publications form the National Institute of Standards and Technology (NIST) cover information-security topics from evaluating computer-security products to penetration testing. The first, Guide to Information Technology Security Services, is a high-level document that examines management, operational, and technical IIT security services. The guide provides “assistance with selecting, implementing, and managing IT security services by guiding the organisation through the various phases of the IT security services life cycle.” Next is the Guide to Selecting Information Technology Security Products, which explains infosec products from access control devices to vulnerability scanners. Aimed at the non-technical security professional, the guide looks at the different types of products available and examines “environment questions” that need to be answered before purchasing a product or service. The third, the Guideline on Network Security Testing, describes the tools and techniques needed to perform a network security test and offers recommendations for identifying “network security testing requirements and how to prioritize testing activities with limited resources.” Next is Building an Information Technology Security Awareness and Training Program, which examines awareness and training program design, development of materials, program implementation, and monitoring. Last is Security Considerations in the Information Systems Development Life Cycle. It is a primary consideration when information systems are planned for and purchased. It also offers a look at government-mandated information security topics such as the Common Criteria, which provides assurances based on evaluation that the product or service can be trusted.
