Risk management is a balancing act, requiring explicit management decisions that trade off the utility and convenience of modern information systems against the potential for serious harm if they are misused. Intended for individuals ranging from agency heads to system administrators, NIST's new guide outlines a top-level process for building and implementing a technically sound and effective information security program within an organization. It ties together various NIST computer security documents and when finalized, it will become the flagship document in a series of NIST documents related to FISMA -- the Federal Information Security Management Act.
As with all NIST Special Publications, the public review process is an essential part of the document's development. The public comment period for the document is Oct. 29-Dec. 14, 2007.