One of the most valuable sources for downloading free, unbiased publications about security management is the Web site of the National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) Computer Security Division (CSD) Computer Security Resource Center (CSRC).

According to the description on their home page, the CSRC "develops computer security prototypes, tests, standards, and procedures to protect sensitive information from unauthorized access or modification. Focus areas include cryptographic technology and applications, advanced authentication, public-key infrastructure, internetworking security, criteria and assurance, and security management and support. These publications present the results of NIST studies, investigations, and research on information technology security issues."

A new resource especially useful for newcomers to this excellent collection is the "Guide to NIST Computer Security Documents" edited by Tanya Brewer and Matthew Scholl and dated February 2007 (but the PDF file shows that it was updated in April). The editors write:

"Currently, there are over 250 NIST information security documents. This number includes Federal Information Processing Standards (FIPS), the Special Publication (SP) 800 series, Information Technology Laboratory (ITL) Bulletins, and NIST Interagency Reports (NISTIR). These documents are typically listed by publication type and number or by month and year in the case of the ITL Bulletins. This can make finding a document difficult if the number or date is not known. In order to make NIST information security documents more accessible, especially to those just entering the security field or with limited needs for the documents, we are presenting this Guide. In addition to being listed by type and number, this will present the documents using three approaches to ease searching:

* by Topic Cluster
* by Family
* by Legal Requirement."

They add, "The Guide will be updated on a bi-annual basis to include new documents, topic clusters, and legal requirements, as well as to update any shifts in document mapping that is appropriate."

Topic clusters include 23 classifications to help locate documents, starting with Annual Reports, Audit & Accountability and Authentication, and finishing with Smart Cards, Viruses & Malware and Historical Archives (out of alphabetical order for some reason). The "Families" classification starts with Access Control, Awareness & Training, Audit & Accountability and finishes with System & Information Integrity. The Legal Requirements classification includes the FISM (Federal Information Security Management Act of 2002), OMB Circular A-130 (Management of Federal Information Resources, Appendix III: Security of Federal Automated Information Resources), Health Insurance Portability and Accountability Act (HIPAA), and Homeland Security Presidential Directive-7 (HSPD-7) - Critical Infrastructure Identification, Prioritization, and Protection, among others.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.