- Information Security Policy [NIST SP 800-100 2.2.5]
An aggregate of directives, rules, and practices that prescribes how an organization manages, protects, and distributes information.
- Information Security Architecture [NIST SP 800-39 2.4.3]
A description of the structure and behavior for an enterprise’s security processes, information security systems, personnel and organizational sub-units, showing their alignment with the enterprise’s mission and strategic plans.
- Generally Accepted Principles and Practices for Securing Information Technology Systems [NIST SP 800-14]
SP 800-14 is withdrawn in its entirety. Revised content from the original publication can now be found in the following publications:
- Information Security Program
Building an information security program means designing and implementing security practices to protect critical business processes and IT assets. These security practices that make up this program are meant to mature over time. An information security program also helps to define policies and procedures for assessing risk, monitoring threats, and mitigating attacks.