NIST releases info security documents
The National Institute of Standards and Technology has published two new interagency reports designed to help auditors, inspectors general and senior management understand and evaluate information security programs.NISTIR 7359
, titled “Information Security Guide for Government Executives,” is an overview of IT security concepts that senior management should grasp. NISTIR 7358
, titled “Program Review for Information Security Management Assistance (PRISMA),” lays out a standardized approach for measuring the maturity of an information security program.
PRISMA is a methodology developed by NIST for reviewing complex requirements and posture of a federal information security program. It is intended for use by security personnel, as well as internal reviewers, auditors and IGs. Tools laid out in NISTIR 7358 should help identify program deficiencies, establish baselines, validate corrections and provide supporting information for Federal Information Security Management Act scorecards. It gives a maturity level in nine primary topic areas:
- Information security management and cuilture
- Information security planning
- Security awareness, training and education
- Budget and resources
- Life cycle management
- Certification and accreditation
- Critical infrastructure protection
- Indicent and remergency response
- Security controls
PRISMA is based on the Software Software Engineering Institute’s former Capability Maturity Model and each topic area is rated in one of five levels of maturity, with the fifth level being the highest:
NISTIR 7359 is addressed to senior management, because studies have shown that senior management’s commitment to information security is the most critical element in the success of an information security program. Executives are responsible for establishing the program and setting its goals, as well ensuring that resources are made available to fulfill them.
The guide answers five basic questions about information security for the senior level manager:
- Why do I need to invest in information security?
- Where do I need to focus my attention to accomplish critical information security goals?
- What are the key activities in building an effective information security program?
- What are the laws, regulations, standards and guidelines that I need to understand to build an effective information security program.
- Where can I learn more to help evaluate my program?
Connect with the GCN staff on Twitter @GCNtech.