NIST gives agencies tool to assess IT security programs

NIST gives agencies tool to assess IT security programs
NIST gives agencies tool to assess IT security programs 

By William Jackson

The National Institute of Standards and Technology has released a 
database to help agencies collect data needed to assess IT security 
programs and produce reports for action plans.

The PRISMA database, which can be downloaded at, 
is part of the Program Review for Information Security Management 
Assistance, a tool developed by NIST for reviewing the complex 
information security requirements and posture of federal information 
security programs. It brings together guidelines from NIST publications, 
federal standards, best practices and requirements in the Federal 
Information Security Management Act.

PRISMA provides a framework for an independent in-house review of the 
maturity of an agencys info security program. It requires documentation 
of security policies, procedures and implemented controls as well as a 
review of the agencys organizational structure, culture and business 
mission. After the assessment, the PRISMA team identifies issues and 
develops a weighted list of corrective actions that will provide the 
greatest improvements in the most cost-effective manner.

The PRISMA framework was released in January in NIST Interagency Report 
7358. The database was made available in April. The database is in 
Microsoft Access 2003 and can help generate a report in Microsoft Word. 
The current database is populated with sample information to illustrate 
the functionality and should be cleared when performing the review.

If you are having trouble finding the guidelines or standards you need 
while doing your IT security assessment, NIST has also released a Guide 
to NIST Computer Security Documents, a PDF file that indexes more than 
250 publications issued by the NIST Computer Security Division.

The Computer Security Division publications fall into four families:
* Federal Information Processing Standards, detailing standards and 
  guidelines adopted under the FISMA.
* Special Publication 800-series, which report the results of research 
  and guidelines developed by the Information Technology Laboratory.
* ITL Bulletins, which give in-depth insight into significant topics.
* NIST interagency reports on topics of more limited or transitory 

In addition to listings by these families, publications also are listed 
by topic cluster and legal requirements. The guide will be updated twice 
a year.

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods