NIST gives agencies tool to assess IT security programs
- By William Jackson
- Apr 27, 2007
The National Institute of Standards and Technology has released a database to help agencies collect data needed to assess IT security programs and produce reports for action plans.
The PRISMA database, which can be downloaded at http://prisma.nist.gov
, is part of the Program Review for Information Security Management Assistance, a tool developed by NIST for reviewing the complex information security requirements and posture of federal information security programs. It brings together guidelines from NIST publications, federal standards, best practices and requirements in the Federal Information Security Management Act.
PRISMA provides a framework for an independent in-house review of the maturity of an agency's info security program. It requires documentation of security policies, procedures and implemented controls as well as a review of the agency's organizational structure, culture and business mission. After the assessment, the PRISMA team identifies issues and develops a weighted list of corrective actions that will provide the greatest improvements in the most cost-effective manner.
The PRISMA framework was released in January in NIST Interagency Report 7358. The database was made available in April. The database is in Microsoft Access 2003 and can help generate a report in Microsoft Word. The current database is populated with sample information to illustrate the functionality and should be cleared when performing the review.
If you are having trouble finding the guidelines or standards you need while doing your IT security assessment, NIST has also released a Guide to NIST Computer Security Documents
, a PDF file that indexes more than 250 publications issued by the NIST Computer Security Division.
The Computer Security Division publications fall into four families:
- Federal Information Processing Standards, detailing standards and guidelines adopted under the FISMA.
- Special Publication 800-series, which report the results of research and guidelines developed by the Information Technology Laboratory.
- ITL Bulletins, which give in-depth insight into significant topics.
- NIST interagency reports on topics of more limited or transitory interest.
In addition to listings by these families, publications also are listed by topic cluster and legal requirements. The guide will be updated twice a year.
William Jackson is freelance writer and the author of the CyberEye blog.