Have you ever been asked to implement standards for your organization - only to find out that they are buried within a gazillion page document with tables and appendices that you must pull actionable items out of? Top that off with your organizations's risk scores, cross referenced controls for the defined risk level...you get the picture. I think we all have and we can agree that it isn't much fun. This morning, a colleague pointed me to a new release from our friends at NIST. Enter NIST SP 800-53 v3 in database format. From the readme:
The NIST SP 800-53 reference database application is a FileMaker runtime database solution. It represents the security controls that are organized into families for ease of use in the control selection and specification process. The security control structure consists of three key components: a control section, a supplemental guidance section, and a control enhancements section. The priority and minimum assurance requirements (i.e., low, moderate, and high) for security controls are applicable to each control. The user can browse the security controls based on various criteria, search for specific control, and export the control to various file types, e.g., tab-separated text file, comma-separated text file, XML, etc.
The download is about 42MB and is available here. After a quick decompression, you are ready to roll. However, this beta is limited to Windows support. If you're not familiar with the NIST SP 800 family of publications, you should be. They provide a great set of knowledge, vetted security controls and are available at no extra cost.
The application itself requires no installation, and therefore, will run without administrative control over the machine you are using it on (hint - you can share it with folks like legal counsel or developers so they can enjoy ease of access). To further protect the integrity of the data, the instance runs as read only. Once up and running, you are presented with a fairly busy interface that takes a bit of browsing to understand. However, after a few minutes you can quickly find the controls you need, according to your risk impact scores, with all the supporting information at your fingertips. This truly is a helpful tool to have in your cache.