NIST 800-14

NIST Special Publication 800-14 describes common security principles that should be addressed
within security policies. The purpose of this document is to describe 8 principles and 14
practices that can be used to develop security policies. A significant part of this document is
dedicated to auditing user activity on a network. Specific requirements include tracking user
actions and, in the event of any investigation, the ability to reconstruct exactly what a user has
done. Auditing, monitoring, and intrusion detection are heavily emphasized in this standard.
The eight principles of Special Publication 800-14 are as
follows:

1. Computer security supports the mission of the organization.

2. Computer security is an integral element of sound management.
3. Computer security should be cost-effective.
4. System owners have security responsibilities outside their own organizations.
5. Computer security responsibilities and accountability should be made explicit.
6. Computer security requires a comprehensive and integrated approach.
7. Computer security should be periodically reassessed.
8. Computer security is constrained by societal factors.
The 14 practice areas of Special
Publication 800-14 are as follows:

1. Policy
2. Program Management
3. Risk Management
4. Life Cycle Planning
5. Personnel/User Issues
6. Preparing for Contingencies and Disasters
7. Computer Security Incident Handling
8. Awareness and Training
9. Security Considerations in Computer Support and Operations
10. Physical and Environmental Security
11. Identification and Authentication
12. Logical Access Control
13. Audit Trails
14. Cryptography
This standard provides guidelines for all of these areas. Therefore, it is a
good place to get guidance on what security should be implemented at a
target network. You can then tailor your penetration test to validate (or
refute) that these standards are being met.