NISTRISK & COMPLIANCE

NIST 7358 PRISMA Part I

2 Mins read

In the last few months, we have covered various areas in managing cybersecurity during the pandemic. The last blog “Workplaces Considerations for Reopening During Pandemic” described challenges in reopening.

Reopening during the pandemic means many employment-related challenges to business. Health and safety will be the top priority for businesses. The Centers for Disease Control and Prevention​ ​(CDC), Occupational Safety and Health Administration (OSHA), and National Center for Immunization and Respiratory Diseases (NCIRD) have guidance for businesses and employers on how to plan, prepare, and respond to COVID-19, how to manage worker exposure risk, etc.

In today’s blog, the e-InnoSec team is moving towards business as usual and focusing on one of the important areas that will allow organizations to manage the work by considering risks and prioritization.

The team is using NIST Program Review for Information Security Management Assistance (PRISMA) methodology, a tool developed and implemented by NIST for reviewing the complex information security requirements and posture of a federal program or agency.

Management can generate risk-based priority for implementation of controls as well as corrective actions with the help of PRISMA control maturity level, NIST 800-53 Priority Code, and risk rating calculated using impact and likelihood.

What is PRISMA?

PRISMA is a maturity-based scorecard focusing on nine primary review Topic Areas (TAs) of information security. The output provides executive management a clear indication of the information security posture of the agency’s information security program which can be used for executive decision-making. The structure of a PRISMA Review is based upon the Software Engineering Institute’s (SEI) former Capability Maturity Model (CMM),

The model measures an organization’s developmental advancement by one of five maturity levels.

Maturity Levels

The levels are listed in increasing maturity as follows:

Maturity Level 1 Policies –Reviews the existence of documented policies
Maturity Level 2 Procedures –Reviews the existence of documented procedures
Maturity Level 3 Implementation –Reviews the implementation of the above
Maturity Level 4 Testing –Reviews the ‘testing’ of the implementation of the information security policies and procedures
Maturity Level 5 Integration –Reviews the program for ‘integration’ of the previous four maturity levels

PRISMA Review

A PRISMA review focuses on part or all of the strategic and technical aspects of an information security program. The review identifies the level of maturity of the information security program and the ability to comply with the requirements in topic areas.

Topic Areas

The nine topic areas are listed below:

 1. Information Security Management and Culture, 2. Information Security Planning, 3. Security Awareness, Training, and Education, 4. Budget and Resources, 5. Life Cycle Management, 6. Certification and Accreditation, 7. Critical Infrastructure Protection, 8. Incident and Emergency Response, and 9. Security Controls.

Below is an overview of a process flow for a general PRISMA review:

Figure – General NIST 7358 PRISMA Review Process

Review Results

The PRISMA Review Team member(s) determines whether the document is “compliant”, “partially compliant”, or “not compliant” when assessed against the PRISMA document criteria.

In part II we will discuss how to use PRISMA control maturity level, NIST 800-53 Priority Code, risk rating calculated using impact, and likelihood to generate riskbased priority for implementation of controls.

Related posts
CYBERSECURITYRISK & COMPLIANCE

Prevention, Detection, and Recovery from Cyberattacks Part III

2 Mins read
Is Zero Trust a model for effective and efficient security? We are adding a third blog post in the series of Prevention,…
RISK & COMPLIANCE

Everything You Need to Know About DoD CMMC - CMMC Introduction

2 Mins read
In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft…
RISK & COMPLIANCE

Everything You Need to Know About DoD CMMC - CMMC Background

2 Mins read
In March 2020, Visser Precision Manufacturing confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft…
 

Leave a Reply

Your email address will not be published. Required fields are marked *