On SP 800-39

Posted April 21st, 2008 by

Second draft of NIST SP 800-39, Managing Risk from Information Systems, an Organization Perspective, is out, go have a read and see what you think. NIST really does welcome and use comments.

When 800-39 first came out, I gave it a quick scan and said to myself “meh, this is a rehash of all the things said elsewhere, especially 800-37. The general consensus between my friends was the same, but that after you get over that initial impression, you realize that the 800-39 Risk Management Framework is the stuff that fills in the gaps between everything and that this is how successful CISOs have been running their shops. One thing to think about is that NIST writes doctrine not technique, so you still have to read between the lines.

Anyway, it’s worth your time to give it a read, then drop your comments to NIST. They love it when you doo….

Similar Posts:

Posted in NIST, Risk Management | 1 Comment »

One Response

  1.  Andrew Bruce Says:

    I’m in the Norwich University MSIA program and certainly looking to join you as a CISO. I’ll be reading your rants and I invite you right back to my own pontifications and gibberings at the Web site. Thanks for this resource!

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: