By Wade-Hahn Chan
Nov. 13, 2006
The National Institute of Standards and Technology has put together a
guide to information security tailored specifically for top-level
The publication, "Information Security Handbook: A Guide for Managers," 
was written for chief information officers, chief information security
officers and other officials who have a vested interest in the security
of agency systems but who do not necessarily need to get into the nuts
and bolts on a daily basis.
The guide focuses on issues that typically arise when planning and
implementing a security program, according to NIST.
One chapter, for example, looks at security governance, providing a
breakdown of the different security-related responsibilities that must
be handled by an agency's management team. The CIO should appoint a CISO
to develop and maintain security policies and procedures, the guidelines
state, but "information owners" -- individuals who actually manage
information -- should be the ones to decide the appropriate use and
distribution of their data.
NIST developed the handbook to help managers address the requirements of
various security policies and laws, such as the Clinger-Cohen Act of
1996 and the Federal Information Security Management Act. NIST intends
the guidelines to be generic, something agencies can tailor to their
specific technical and business requirements.
By providing a top-level look at security issues, the handbook "provides
guidance for facilitating a more consistent approach to information
security programs across the federal government," according to the
Subscribe to InfoSec News