By William Jackson
The National Institute of Standards and Technology has released a
database to help agencies collect data needed to assess IT security
programs and produce reports for action plans.
The PRISMA database, which can be downloaded at http://prisma.nist.gov,
is part of the Program Review for Information Security Management
Assistance, a tool developed by NIST for reviewing the complex
information security requirements and posture of federal information
security programs. It brings together guidelines from NIST publications,
federal standards, best practices and requirements in the Federal
Information Security Management Act.
PRISMA provides a framework for an independent in-house review of the
maturity of an agencys info security program. It requires documentation
of security policies, procedures and implemented controls as well as a
review of the agencys organizational structure, culture and business
mission. After the assessment, the PRISMA team identifies issues and
develops a weighted list of corrective actions that will provide the
greatest improvements in the most cost-effective manner.
The PRISMA framework was released in January in NIST Interagency Report
7358. The database was made available in April. The database is in
Microsoft Access 2003 and can help generate a report in Microsoft Word.
The current database is populated with sample information to illustrate
the functionality and should be cleared when performing the review.
If you are having trouble finding the guidelines or standards you need
while doing your IT security assessment, NIST has also released a Guide
to NIST Computer Security Documents, a PDF file that indexes more than
250 publications issued by the NIST Computer Security Division.
The Computer Security Division publications fall into four families:
* Federal Information Processing Standards, detailing standards and
guidelines adopted under the FISMA.
* Special Publication 800-series, which report the results of research
and guidelines developed by the Information Technology Laboratory.
* ITL Bulletins, which give in-depth insight into significant topics.
* NIST interagency reports on topics of more limited or transitory
In addition to listings by these families, publications also are listed
by topic cluster and legal requirements. The guide will be updated twice
Subscribe to InfoSec News