What is the NIST SP 800 12 publication?

by
What is the NIST SP 800 12 publication

The NIST Special Publication 800-12, titled “An Introduction to Computer Security: The NIST Handbook”, provides an overview of key computer security concepts for individuals who have limited or no experience or knowledge about computer security. It was first published by the National Institute of Standards and Technology (NIST) in October 1995 and has since undergone several revisions, with the most recent version being published in October 2006.

Purpose and Scope

The NIST SP 800-12 publication serves as a general introduction and overview of computer security topics for a broad audience. It is intended for individuals who use, manage, or access computer systems and networks, but who do not necessarily have extensive technical knowledge about computer security.

Some of the key topics covered in the handbook include:

  • Basic concepts of computer security such as confidentiality, integrity, and availability
  • Common threats to computer systems and data such as malware, social engineering, and insider threats
  • Security measures and controls such as access control, cryptography, firewalls, and intrusion detection systems
  • Security policies and procedures for organizations
  • Incident response and business continuity planning
  • Security awareness and training

The publication provides a high-level overview of these topics to build core knowledge about computer security. It does not go into extensive technical details, which allows it to be accessible to a broad range of readers.

History and Background

The NIST SP 800-12 publication originated in the early 1990s from the need for introductory computer security awareness materials for a wide variety of audiences. At the time, NIST did not have educational materials that provided a basic overview of computer security topics in non-technical language.

To address this need, NIST initiated a project in 1993 to develop a computer security primer publication. The result was the first version of the NIST SP 800-12 handbook published in October 1995. This original version of the handbook was titled “An Introduction to Computer Security: The NIST Handbook” and contained 10 chapters:

  1. Why Computer Security Is Important
  2. The Basis for Computer Security
  3. Security Threats
  4. Security Safeguards and Controls
  5. Security Policies and Plans
  6. Contingency Planning and Incident Handling
  7. Security Training and Awareness
  8. Security Considerations in Computer Support and Operations
  9. Laws and Regulations Related to Security
  10. Sources for Additional Information

Since the initial release in 1995, the handbook has undergone two major revisions. The second edition was published in September 1996 with some updates to the content. The third and current edition was published in October 2006 with more extensive changes:

  • The title was shortened to “An Introduction to Computer Security”
  • The number of chapters was reduced from 10 to 5
  • The content was updated to reflect new technologies and threats
  • More examples, figures, and tables were added
  • The writing style was revised to be more concise and reader-friendly

While the content has evolved over time, the core mission of the NIST SP 800-12 publication has remained the same – to provide introductory computer security awareness for a wide range of audiences. It continues to serve as a valuable educational resource for organizations and individuals today.

Key Chapters and Topics

The current October 2006 edition of the NIST SP 800-12 publication contains the following 5 chapters and key topics:

Chapter 1: Introduction to Computer Security

  • Importance of information security in organizations
  • Security triad – confidentiality, integrity, availability
  • Threats to computer security
  • Vulnerabilities that can be exploited
  • Controls and safeguards for security
  • Tradeoffs between usability and security

Chapter 2: Information Security Governance

  • Information security policies, plans, and procedures
  • Organizational roles and responsibilities
  • Security awareness and training programs
  • Laws, regulations, and compliance requirements

Chapter 3: System and Network Security

  • System architecture and system components from a security perspective
  • Malicious code threats and mitigation (e.g. malware, viruses, Trojans)
  • Network security controls (e.g. firewalls, intrusion detection systems)
  • Cryptography and encryption fundamentals
  • Telecommunications security (VOIP, wireless, mobile devices)

Chapter 4: Business Continuity Security

  • Contingency planning and disaster recovery
  • Incident response processes
  • Business impact analysis
  • Backup and recovery strategies

Chapter 5: Laws, Regulations, and Compliance

  • Overview of key U.S. laws and regulations related to computer security – HIPAA, GLBA, SOX, etc.
  • Compliance concepts and methodologies
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Federal Information Security Management Act (FISMA)

Within each chapter, the publication makes extensive use of examples, figures, and tables to illustrate the concepts. Key definitions and summary sections are also provided for reinforcement of learning.

Intended Audiences

The NIST SP 800-12 publication is intended for a wide range of audiences that need introductory awareness of computer and information security concepts. Some of the key target audiences include:

  • Individual computer users – To understand basic measures to secure their computers and information
  • Technical staff – To complement more in-depth technical training on security
  • Business managers – To appreciate the importance of security and the role of governance
  • Attorneys – To gain awareness of laws and regulations related to information security
  • Students – As a foundational reading on information security topics

The publication is written in accessible language so it can be understood by readers with varied backgrounds and experience. The breadth of topics also makes it a valuable general reference for many audiences.

Key Lessons Learned

Some of the key lessons that readers can take away from the NIST SP 800-12 publication include:

  • Understanding the CIA triad model of information security – confidentiality, integrity, and availability.
  • Learning about different information security governance practices such as policies, training, and compliance programs that organizations should implement.
  • Appreciating how both technical controls (e.g. encryption) and non-technical controls (e.g. policies) are needed for effective security.
  • Recognizing thatinformation security is an ongoing process, not a one-time event.
  • The importance of incident response and business continuity planning forrecovering from security breaches or disasters.
  • How to balance security with operational effectiveness and usability.

While the publication provides an overview, readers will gain core knowledge to serve as a foundation for further developing their information security expertise in specific areas.

How the Publication Helps Improve Security

The NIST SP 800-12 publication helps organizations, companies, and individuals improve their security posture in several ways:

  • Increasing general security awareness – It teaches basic concepts and threats to a wide audience in accessible language.
  • Fostering better security practices – Explaining governance, controls, and technologies motivates readers to implement good security hygiene.
  • Demonstrating leadership commitment – Publishing the guide highlights NIST’s commitment to security awareness.
  • Complementing technical training – It provides foundational knowledge as a precursor to technical training.
  • Supporting security certifications – It serves as an introductory resource for preparing for information security certifications.

By promoting stronger foundational knowledge, the publication helps elevate information security across organizations and the general public over time.

Current Relevance and Use

The core concepts covered in the NIST SP 800-12 publication are still highly relevant today even though the current edition was last published in 2006. Many of the fundamental security principles have a long shelf life. Topics such as risk management, security policies, awareness programs, and contingency planning remain pertinent despite evolving technologies.

Some users may wish to supplement the publication with more current sources of information on threats and technologies. However, most of the underlying processes and practices detailed in the handbook are still applicable in modern environments.

The publication continues to see widespread use as an introductory security awareness resource. Some examples of current uses include:

  • Federal agencies using it as part of mandatory security awareness training for employees.
  • Universities such as Carnegie Mellon assigning it as foundational reading for information security courses.
  • Industry conferences such as BSides referencing it as recommended preparatory reading material.
  • International organizations like the United Nations using it for security training.
  • Companies referencing it as a best practice guide for internal security policies and governance.

The enduring relevance and popularity of the publication underscores its value in providing a strong baseline of security knowledge for diverse audiences.

Conclusion

First published in 1995, the NIST SP 800-12 serves as a comprehensive introduction to computer security concepts and best practices. While technology has changed over time, the core lessons around information security governance, system protections, and business continuity remain pertinent today. It continues to be widely used by government, academia, and industry to improve foundational security understanding for a broad range of audiences. The NIST SP 800-12 publication succeeds in its mission of promoting security awareness and education to support more secure computing environments.