NISTRISK & COMPLIANCE

NIST 7358 PRISMA Part I

2 Mins read

In the last few months, we have covered various areas in managing cybersecurity during the pandemic. The last blog “Workplaces Considerations for Reopening During Pandemic” described challenges in reopening.

Reopening during the pandemic means many employment-related challenges to business. Health and safety will be the top priority for businesses. The Centers for Disease Control and Prevention​ ​(CDC), Occupational Safety and Health Administration (OSHA), and National Center for Immunization and Respiratory Diseases (NCIRD) have guidance for businesses and employers on how to plan, prepare, and respond to COVID-19, how to manage worker exposure risk, etc.

In today’s blog, the e-InnoSec team is moving towards business as usual and focusing on one of the important areas that will allow organizations to manage the work by considering risks and prioritization.

The team is using NIST Program Review for Information Security Management Assistance (PRISMA) methodology, a tool developed and implemented by NIST for reviewing the complex information security requirements and posture of a federal program or agency.

Management can generate risk-based priority for implementation of controls as well as corrective actions with the help of PRISMA control maturity level, NIST 800-53 Priority Code, and risk rating calculated using impact and likelihood.

What is PRISMA?

PRISMA is a maturity-based scorecard focusing on nine primary review Topic Areas (TAs) of information security. The output provides executive management a clear indication of the information security posture of the agency’s information security program which can be used for executive decision-making. The structure of a PRISMA Review is based upon the Software Engineering Institute’s (SEI) former Capability Maturity Model (CMM),

The model measures an organization’s developmental advancement by one of five maturity levels.

Maturity Levels

The levels are listed in increasing maturity as follows:

Maturity Level 1 Policies –Reviews the existence of documented policies
Maturity Level 2 Procedures –Reviews the existence of documented procedures
Maturity Level 3 Implementation –Reviews the implementation of the above
Maturity Level 4 Testing –Reviews the ‘testing’ of the implementation of the information security policies and procedures
Maturity Level 5 Integration –Reviews the program for ‘integration’ of the previous four maturity levels

PRISMA Review

A PRISMA review focuses on part or all of the strategic and technical aspects of an information security program. The review identifies the level of maturity of the information security program and the ability to comply with the requirements in topic areas.

Topic Areas

The nine topic areas are listed below:

 1. Information Security Management and Culture, 2. Information Security Planning, 3. Security Awareness, Training, and Education, 4. Budget and Resources, 5. Life Cycle Management, 6. Certification and Accreditation, 7. Critical Infrastructure Protection, 8. Incident and Emergency Response, and 9. Security Controls.

Below is an overview of a process flow for a general PRISMA review:

Figure – General NIST 7358 PRISMA Review Process

Review Results

The PRISMA Review Team member(s) determines whether the document is “compliant”, “partially compliant”, or “not compliant” when assessed against the PRISMA document criteria.

In part II we will discuss how to use PRISMA control maturity level, NIST 800-53 Priority Code, risk rating calculated using impact, and likelihood to generate riskbased priority for implementation of controls.

Related posts
RISK & COMPLIANCE

Everything You Need to Know About DoD CMMC - CMMC Background

2 Mins read
In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft…
DATA PROTECTIONGDPR/CCPAPRIVACY MGTRISK & COMPLIANCE

GDPR & Sales Team

2 Mins read
The article below is important for every small business including Sales and Marketing team who generate leads and close the deals. Three…
GDPR/CCPAPRIVACY MGTRISK & COMPLIANCE

How Do I Leverage My GDPR Preparation for CCPA? Part III

4 Mins read
The GDPR team has new challenges with the California Consumer Privacy Act (CCPA) compliance and many more to come from other states….
 

Leave a Reply

Your email address will not be published. Required fields are marked *