NIST releases info security documents

The National Institute of Standards and Technology has published two new interagency reports designed to help auditors, inspectors general and senior management understand and evaluate information security programs.

NISTIR 7359, titled “Information Security Guide for Government Executives,” is an overview of IT security concepts that senior management should grasp. NISTIR 7358, titled “Program Review for Information Security Management Assistance (PRISMA),” lays out a standardized approach for measuring the maturity of an information security program.

PRISMA is a methodology developed by NIST for reviewing complex requirements and posture of a federal information security program. It is intended for use by security personnel, as well as internal reviewers, auditors and IGs. Tools laid out in NISTIR 7358 should help identify program deficiencies, establish baselines, validate corrections and provide supporting information for Federal Information Security Management Act scorecards. It gives a maturity level in nine primary topic areas:
  • Information security management and cuilture
  • Information security planning
  • Security awareness, training and education
  • Budget and resources
  • Life cycle management
  • Certification and accreditation
  • Critical infrastructure protection
  • Indicent and remergency response
  • Security controls

PRISMA is based on the Software Software Engineering Institute’s former Capability Maturity Model and each topic area is rated in one of five levels of maturity, with the fifth level being the highest:
  1. Policies
  2. Procedures
  3. Implementation
  4. Testing
  5. Integration.

NISTIR 7359 is addressed to senior management, because studies have shown that senior management’s commitment to information security is the most critical element in the success of an information security program. Executives are responsible for establishing the program and setting its goals, as well ensuring that resources are made available to fulfill them.

The guide answers five basic questions about information security for the senior level manager:
  • Why do I need to invest in information security?
  • Where do I need to focus my attention to accomplish critical information security goals?
  • What are the key activities in building an effective information security program?
  • What are the laws, regulations, standards and guidelines that I need to understand to build an effective information security program.
  • Where can I learn more to help evaluate my program?

About the Author

Connect with the GCN staff on Twitter @GCNtech.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.