In the last few months, we have covered various areas in managing cybersecurity during the pandemic. The last blog “Workplaces Considerations for Reopening During Pandemic” described challenges in reopening.
Reopening during the pandemic means many employment-related challenges to business. Health and safety will be the top priority for businesses. The Centers for Disease Control and Prevention (CDC), Occupational Safety and Health Administration (OSHA), and National Center for Immunization and Respiratory Diseases (NCIRD) have guidance for businesses and employers on how to plan, prepare, and respond to COVID-19, how to manage worker exposure risk, etc.
In today’s blog, the e-InnoSec team is moving towards business as usual and focusing on one of the important areas that will allow organizations to manage the work by considering risks and prioritization.
The team is using NIST Program Review for Information Security Management Assistance (PRISMA) methodology, a tool developed and implemented by NIST for reviewing the complex information security requirements and posture of a federal program or agency.
Management can generate risk-based priority for implementation of controls as well as corrective actions with the help of PRISMA control maturity level, NIST 800-53 Priority Code, and risk rating calculated using impact and likelihood.
What is PRISMA?
PRISMA is a maturity-based scorecard focusing on nine primary review Topic Areas (TAs) of information security. The output provides executive management a clear indication of the information security posture of the agency’s information security program which can be used for executive decision-making. The structure of a PRISMA Review is based upon the Software Engineering Institute’s (SEI) former Capability Maturity Model (CMM),
The model measures an organization’s developmental advancement by one of five maturity levels.
The levels are listed in increasing maturity as follows:
|Maturity Level 1 Policies –||Reviews the existence of documented policies|
|Maturity Level 2 Procedures –||Reviews the existence of documented procedures|
|Maturity Level 3 Implementation –||Reviews the implementation of the above|
|Maturity Level 4 Testing –||Reviews the ‘testing’ of the implementation of the information security policies and procedures|
|Maturity Level 5 Integration –||Reviews the program for ‘integration’ of the previous four maturity levels|
A PRISMA review focuses on part or all of the strategic and technical aspects of an information security program. The review identifies the level of maturity of the information security program and the ability to comply with the requirements in topic areas.
The nine topic areas are listed below:
1. Information Security Management and Culture, 2. Information Security Planning, 3. Security Awareness, Training, and Education, 4. Budget and Resources, 5. Life Cycle Management, 6. Certification and Accreditation, 7. Critical Infrastructure Protection, 8. Incident and Emergency Response, and 9. Security Controls.
Below is an overview of a process flow for a general PRISMA review:
Figure – General NIST 7358 PRISMA Review Process
The PRISMA Review Team member(s) determines whether the document is “compliant”, “partially compliant”, or “not compliant” when assessed against the PRISMA document criteria.
In part II we will discuss how to use PRISMA control maturity level, NIST 800-53 Priority Code, risk rating calculated using impact, and likelihood to generate risk–based priority for implementation of controls.