Security Technical Implementation Guide
Encyclopedia
A Security Technical Implementation Guide or STIG is a methodology for standardized secure installation and maintenance of computer software and hardware. The term was coined by DISA
who creates configuration documents in support of the United States Department of Defense
(DoD). The implementation guidelines include recommended administrative processes and span over the lifecycle of the device.
An example where STIGs would be of benefit is in the configuration of a desktop computer. Most operating systems are ordinarily usable in a wide-range of environments. This leaves them open to easily being controlled by malicious people, such as identity thieves and computer hackers. Therefore, a STIG describes what needs to be done for minimizing network-based attacks and also for stopping system access if a computer criminal is next to the device. Lastly, a STIG may also be used to describe the processes and lifecycles for maintenance (such as software updates and vulnerability patching).
Advanced examples would include the creation of STIGs for the design of a corporate network. A corporate network may consist of thousands of network devices and servers that control the flow of information. Therefore, in order for the network to be efficient and secure, STIGs may be used to define a common configuration for each device type (such as routers, firewalls, domain name servers, and switches). When a structure is found to be as complex as this, it may even be beneficial to devise a STIG for common network structures found within the company (such as campus, remote site, partner site requirements). Common STIGs often are the glue that bind related STIGs created by system administrators into groups and also address the security policies created by upper management.
Ultimately, STIGs are used to maintain the confidentiality, integrity, and availability of an information system
and are an important part of configuration management
for the system.
Defense Information Systems Agency
The Defense Information Systems Agency is a United States Department of Defense agency that provides information technology and communications support to the President, Vice President, Secretary of Defense, the military Services, and the Combatant Commands.As part of the Base Realignment and...
who creates configuration documents in support of the United States Department of Defense
United States Department of Defense
The United States Department of Defense is the U.S...
(DoD). The implementation guidelines include recommended administrative processes and span over the lifecycle of the device.
An example where STIGs would be of benefit is in the configuration of a desktop computer. Most operating systems are ordinarily usable in a wide-range of environments. This leaves them open to easily being controlled by malicious people, such as identity thieves and computer hackers. Therefore, a STIG describes what needs to be done for minimizing network-based attacks and also for stopping system access if a computer criminal is next to the device. Lastly, a STIG may also be used to describe the processes and lifecycles for maintenance (such as software updates and vulnerability patching).
Advanced examples would include the creation of STIGs for the design of a corporate network. A corporate network may consist of thousands of network devices and servers that control the flow of information. Therefore, in order for the network to be efficient and secure, STIGs may be used to define a common configuration for each device type (such as routers, firewalls, domain name servers, and switches). When a structure is found to be as complex as this, it may even be beneficial to devise a STIG for common network structures found within the company (such as campus, remote site, partner site requirements). Common STIGs often are the glue that bind related STIGs created by system administrators into groups and also address the security policies created by upper management.
Ultimately, STIGs are used to maintain the confidentiality, integrity, and availability of an information system
Information system
An information system - or application landscape - is any combination of information technology and people's activities that support operations, management, and decision making. In a very broad sense, the term information system is frequently used to refer to the interaction between people,...
and are an important part of configuration management
Configuration management
Configuration management is a field of management that focuses on establishing and maintaining consistency of a system or product's performance and its functional and physical attributes with its requirements, design, and operational information throughout its life.For information assurance, CM...
for the system.
Resources
- NIST Security Configuration Checklists Repository
- Security Technical Implementation Guides and Supporting Documents in the Public Area