[ISN] NIST releases info security documents

From: InfoSec News (alerts@private)
Date: Mon Feb 19 2007 - 23:15:30 PST


By William Jackson
GCN Staff

The National Institute of Standards and Technology has published two new 
interagency reports designed to help auditors, inspectors general and 
senior management understand and evaluate information security programs.

NISTIR 7359 [1], titled Information Security Guide for Government 
Executives, is an overview of IT security concepts that senior 
management should grasp. NISTIR 7358 [2], titled Program Review for 
Information Security Management Assistance (PRISMA), lays out a 
standardized approach for measuring the maturity of an information 
security program.

PRISMA is a methodology developed by NIST for reviewing complex 
requirements and posture of a federal information security program. It 
is intended for use by security personnel, as well as internal 
reviewers, auditors and IGs. Tools laid out in NISTIR 7358 should help 
identify program deficiencies, establish baselines, validate corrections 
and provide supporting information for Federal Information Security 
Management Act scorecards. It gives a maturity level in nine primary 
topic areas:

    * Information security management and cuilture
    * Information security planning
    * Security awareness, training and education
    * Budget and resources
    * Life cycle management
    * Certification and accreditation
    * Critical infrastructure protection
    * Indicent and remergency response
    * Security controls

PRISMA is based on the Software Software Engineering Institutes former 
Capability Maturity Model and each topic area is rated in one of five 
levels of maturity, with the fifth level being the highest:

   1. Policies
   2. Procedures
   3. Implementation
   4. Testing
   5. Integration.

NISTIR 7359 is addressed to senior management, because studies have 
shown that senior managements commitment to information security is the 
most critical element in the success of an information security program. 
Executives are responsible for establishing the program and setting its 
goals, as well ensuring that resources are made available to fulfill 

The guide answers five basic questions about information security for 
the senior level manager:

    * Why do I need to invest in information security?
    * Where do I need to focus my attention to accomplish critical 
      information security goals?
    * What are the key activities in building an effective information 
      security program?
    * What are the laws, regulations, standards and guidelines that I 
      need to understand to build an effective information security 
    * Where can I learn more to help evaluate my program?

[1] http://csrc.nist.gov/publications/nistir/ir7359/NISTIR-7359.pdf
[2] http://csrc.nist.gov/publications/nistir/ir7358/NISTIR-7358.pdf

Subscribe to the InfoSec News RSS Feed

This archive was generated by hypermail 2.1.3 : Mon Feb 19 2007 - 23:24:41 PST