The National Institute of Standards and Technology (NIST) is tasked with the responsibility of developing information guidelines and security standards. However, federal officials need to approve the standards and guidelines developed by the organization in regards to developing national security systems. The Federal system exercises control and authority over matters about national security (Polk et al., 2014). The Information Technology Laboratory (ITL) at the NIST recommends the use of approved cryptographic schemes and algorithms, and the configuration of Transport Layer Security (TLS) with cipher suites (Green, 2014).
According to Polk et al. (2014), the use of the Transport Layer Security is instrumental in protecting sensitive data; the TLS protects the sensitive data over the internet when data is disseminated electronically. Therefore, the TLS is an effective protocol in regards to providing data integrity, confidentiality, and authentication. Both versions of the TLS (versions 1.1 and 1.2) are approved for the protection of Federal information when properly configured. Moreover, TLS version 1.0 is approved only when it is required for interoperability with non-government systems and is configured according to the set guidelines (Green, 2014).
Many networked applications rely on the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to protect sensitive data transmitted over insecure channels. In essence, TLS requires the existence of a Public Key Infrastructure (PKI) that generates public key certificates to protect information on the Internet. Additionally, it provides a protected channel for sending data between the server and the client. The client is often, but not always, a web browser. TLS is a layered protocol that runs on top of a reliable transport protocol – typically the transmission control protocol (TCP). Application protocols, such as the Hypertext Transfer Protocol (HTTP) and the Internet Message Access Protocol (IMAP), can run above TLS. Furthermore, TLS is application independent and used to provide security to any two communicating applications that transmit data over a network via an application protocol. It can be used to create a virtual private network (VPN) that connects an external system to an internal network, allowing that system to access a multitude of internal services and resources as if it were in the network.
These guidelines focus on the common use where clients and servers must interoperate with a wide variety of implementations, and authentication is performed using public key certificates. To promote interoperability, these guidelines establish mandatory features and cipher suites that conforming implementations must support. There are, however, much more constrained implementations of TLS servers, whereby security is needed, but broad interoperability is not required, and the cost of implementing available features may be prohibitive. For example, minimal servers are often implemented in embedded controllers and network infrastructure devices such as routers and then used with browsers to remotely configure and manage the devices. Moreover, the use of an appropriate subset of the capabilities specified in these guidelines may be acceptable in such cases.
Green (2014) explains all aspects of InfoSec program and policy planning, development, deployment, and management and specific best-practice policies for key industry sectors, including finance, healthcare, online commerce, and small business. These exist to protect the organization and its constituents from harm. Major areas of the Information Security Policies include;
- Codifying information security directives in a written policy document.
- Participation of management in policy development and support the policy.
It is important for every organization to develop a unique security strategy based on organizational needs, objectives and regulatory requirements. Moreover, information security policies are governance statements written with the intent of directing the organization. Furthermore, the management team in every organization should commit to analyzing any information through written policies (Polk et al., 2014). According to Green (2014), information security is different from security programs/policies because the former assesses risk management, management and the role of the organization. Furthermore, security programs and policies focus on the development of new policies.
Polk, T., McKay, K., and Chokhani, S.(2014, April). NIST Special Publication 800-52 Revision 1.
Green, Sari Stern. (2014, March) Security program and policies: Principles and practices 2nd Ed.). Indianapolis, IN: Pearson. ISBN-13: 9780789751676)