http://www.gcn.com/online/vol1_no1/43141-1.html
By William Jackson
GCN Staff
02/16/07
The National Institute of Standards and Technology has published two new
interagency reports designed to help auditors, inspectors general and
senior management understand and evaluate information security programs.
NISTIR 7359 [1], titled Information Security Guide for Government
Executives, is an overview of IT security concepts that senior
management should grasp. NISTIR 7358 [2], titled Program Review for
Information Security Management Assistance (PRISMA), lays out a
standardized approach for measuring the maturity of an information
security program.
PRISMA is a methodology developed by NIST for reviewing complex
requirements and posture of a federal information security program. It
is intended for use by security personnel, as well as internal
reviewers, auditors and IGs. Tools laid out in NISTIR 7358 should help
identify program deficiencies, establish baselines, validate corrections
and provide supporting information for Federal Information Security
Management Act scorecards. It gives a maturity level in nine primary
topic areas:
* Information security management and cuilture
* Information security planning
* Security awareness, training and education
* Budget and resources
* Life cycle management
* Certification and accreditation
* Critical infrastructure protection
* Indicent and remergency response
* Security controls
PRISMA is based on the Software Software Engineering Institutes former
Capability Maturity Model and each topic area is rated in one of five
levels of maturity, with the fifth level being the highest:
1. Policies
2. Procedures
3. Implementation
4. Testing
5. Integration.
NISTIR 7359 is addressed to senior management, because studies have
shown that senior managements commitment to information security is the
most critical element in the success of an information security program.
Executives are responsible for establishing the program and setting its
goals, as well ensuring that resources are made available to fulfill
them.
The guide answers five basic questions about information security for
the senior level manager:
* Why do I need to invest in information security?
* Where do I need to focus my attention to accomplish critical
information security goals?
* What are the key activities in building an effective information
security program?
* What are the laws, regulations, standards and guidelines that I
need to understand to build an effective information security
program.
* Where can I learn more to help evaluate my program?
[1] http://csrc.nist.gov/publications/nistir/ir7359/NISTIR-7359.pdf
[2] http://csrc.nist.gov/publications/nistir/ir7358/NISTIR-7358.pdf
______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss
This archive was generated by hypermail 2.1.3 : Mon Feb 19 2007 - 23:24:41 PST