I've been working lately with security models, specifically how you strategically approach security in organizations. Models such as FISMA/NIST and ISO 27000 (just two of many) are designed to help organizations approach this complex problem. After working with these two I wanted to share some observations and comparisons of these and perhaps get your perspective. Just some quick background. FISMA is actually not a model but a law passed in 2002 requiring US government organizations to implement certain information security standards. NIST defines those standards through documents, such as the SP800 series (of which there are over a hundred). ISO 27000 is originally based on the British Standards Institute BS7799 (parts 1-3). ISO now manages this model and standardized the 2700X numbering system.
Readability: First, how easy is it to read and understand the overall documentation and model? ISO 27000 wins this hands down. First, its ordered in a relatively easy to understand fashion. You start with 27001 which is the overall plan (called an ISMS). You then move onto ISO 27002 which gets a bit more detailed (controls, but at a high level). You then have several other 2700X documents to help you (such as with risk assessments). These have not been officially approved yet by ISO. FISMA unfortunately is much more haphazard. NIST has just published SP800-39 to help give an overview, but then you also need to read FIPS-199 and FIPS-200. There are also various other SP800 documents you can read to help get things started. The other problem is how they are written. I'm sure the fine folks at NIST meant well, but their documentation is written in painful government/academic speak, something I've never worked well with. ISO 27000 in comparison is written from a business perspective, much simpler and cleaner. ISO 27000 wins here hands down.
Availability: Okay, this is where NIST shines. Everything is organized by one organization, at one location, and its all for free! ISO 27000 on the other hand, while developed and approved by ISO, is not for free. Each ISO document costs several hundred dollars and can be purchased at various locations (I find the ANSI site to be the cheapest, its in American dollars :). NIST wins this one.
Strategic: This is where I really like ISO 27000. ISO 27001 focuses on how you will manage your strategic security plan (Plan, Do, Act, Check), ISO 27002 is your strategic plan. The NIST documentation simply jumps right in and has you start with IMPACT assessments on your information and information systems. They call it their Risk Management Framework, but its not. There is no analysis of risk, only impact. There doesn't seem to be any real high level plan, strategic goals, organizational reviews, etc. Its confusing and too tactical focused. Its also highly structured, its almost as if the authors do not trust the security professionals involved. ISO 27000 gives much more trust and flexibility. ISO 27000 wins this one.
Tactical: This is where I think NIST shines. While I'm not impressed by its strategic approach, it has a wealth of tactical knowledge. There are numerous SP800 documents (almost a hundred) that focus on just the technical details and recommended controls, such as mobile forensics, intrusion detection systems, or wireless. These standards can greatly help organizations. Also, NIST is just now kicking off their checklist series of documentation. The US government is moving to standardized, secure builds. While the concept of standardize builds is not new, what makes this VERY exciting is the US government is forcing all vendors to support these builds. You want the US government to buy your software, you have to support secured systems. This has already been done for WinXP and Vista and takes effect early next year. NIST wins here.
So, overall which is better? Neither. My preference is use ISO 27000 model for a strategic approach. However, once you get into the details the SP800 series can help. However I suggest staying away from SP800-39, FIPS-200, FIPS-199 I really think that their strategic approach is taking people down the wrong path. I'm interested in your input. Let me know if you agree or disagree with this assessment, and if so why. What is your preferred model or strategic approach to information security?
Readability: First, how easy is it to read and understand the overall documentation and model? ISO 27000 wins this hands down. First, its ordered in a relatively easy to understand fashion. You start with 27001 which is the overall plan (called an ISMS). You then move onto ISO 27002 which gets a bit more detailed (controls, but at a high level). You then have several other 2700X documents to help you (such as with risk assessments). These have not been officially approved yet by ISO. FISMA unfortunately is much more haphazard. NIST has just published SP800-39 to help give an overview, but then you also need to read FIPS-199 and FIPS-200. There are also various other SP800 documents you can read to help get things started. The other problem is how they are written. I'm sure the fine folks at NIST meant well, but their documentation is written in painful government/academic speak, something I've never worked well with. ISO 27000 in comparison is written from a business perspective, much simpler and cleaner. ISO 27000 wins here hands down.
Availability: Okay, this is where NIST shines. Everything is organized by one organization, at one location, and its all for free! ISO 27000 on the other hand, while developed and approved by ISO, is not for free. Each ISO document costs several hundred dollars and can be purchased at various locations (I find the ANSI site to be the cheapest, its in American dollars :). NIST wins this one.
Strategic: This is where I really like ISO 27000. ISO 27001 focuses on how you will manage your strategic security plan (Plan, Do, Act, Check), ISO 27002 is your strategic plan. The NIST documentation simply jumps right in and has you start with IMPACT assessments on your information and information systems. They call it their Risk Management Framework, but its not. There is no analysis of risk, only impact. There doesn't seem to be any real high level plan, strategic goals, organizational reviews, etc. Its confusing and too tactical focused. Its also highly structured, its almost as if the authors do not trust the security professionals involved. ISO 27000 gives much more trust and flexibility. ISO 27000 wins this one.
Tactical: This is where I think NIST shines. While I'm not impressed by its strategic approach, it has a wealth of tactical knowledge. There are numerous SP800 documents (almost a hundred) that focus on just the technical details and recommended controls, such as mobile forensics, intrusion detection systems, or wireless. These standards can greatly help organizations. Also, NIST is just now kicking off their checklist series of documentation. The US government is moving to standardized, secure builds. While the concept of standardize builds is not new, what makes this VERY exciting is the US government is forcing all vendors to support these builds. You want the US government to buy your software, you have to support secured systems. This has already been done for WinXP and Vista and takes effect early next year. NIST wins here.
So, overall which is better? Neither. My preference is use ISO 27000 model for a strategic approach. However, once you get into the details the SP800 series can help. However I suggest staying away from SP800-39, FIPS-200, FIPS-199 I really think that their strategic approach is taking people down the wrong path. I'm interested in your input. Let me know if you agree or disagree with this assessment, and if so why. What is your preferred model or strategic approach to information security?