Second draft of NIST SP 800-39, Managing Risk from Information Systems, an Organization Perspective, is out, go have a read and see what you think. NIST really does welcome and use comments.

When 800-39 first came out, I gave it a quick scan and said to myself “meh, this is a rehash of all the things said elsewhere, especially 800-37. The general consensus between my friends was the same, but that after you get over that initial impression, you realize that the 800-39 Risk Management Framework is the stuff that fills in the gaps between everything and that this is how successful CISOs have been running their shops. One thing to think about is that NIST writes doctrine not technique, so you still have to read between the lines.

Anyway, it’s worth your time to give it a read, then drop your comments to NIST. They love it when you doo….

• Mike’s Guide to Information Security Policy
• Opportunity Costs and the 20 Critical Security Controls
• Some Comments on SP 800-39
• An Open Letter to NIST About SP 800-30
• New SP 800-60 is Out, Categorize Yerselves Mo Better