NIST 7358 PRISMA Part I

Summarise on:
Charu Pel

Charu Pel

6 min Read

LinkedInTwitterEmail

NIST 7358 PRISMA Part I

Direct answer: NIST PRISMA (Program Review for Information Security Management Assistance) is a maturity-based review methodology used to assess information security program posture and help management prioritize controls and corrective actions based on risk.

In the last few months, we have covered various areas in managing cybersecurity during the pandemic. The last blog "Workplaces Considerations for Reopening During Pandemic" described challenges in reopening.

Reopening during the pandemic means many employment-related challenges to business. Health and safety will be the top priority for businesses. The Centers for Disease Control and Prevention (CDC), Occupational Safety and Health Administration (OSHA), and National Center for Immunization and Respiratory Diseases (NCIRD) have guidance for businesses and employers on how to plan, prepare, and respond to COVID-19, how to manage worker exposure risk, etc.

In today's blog, the e-InnoSec team is moving towards business as usual and focusing on one important area that allows organizations to manage work by considering risk and prioritization.

The team is using NIST Program Review for Information Security Management Assistance (PRISMA) methodology, a tool developed and implemented by NIST for reviewing the complex information security requirements and posture of a federal program or agency.

Management can generate risk-based priority for implementation of controls as well as corrective actions with the help of PRISMA control maturity level, NIST 800-53 Priority Code, and risk rating calculated using impact and likelihood.

What is PRISMA and why is it used?

PRISMA is a maturity-based scorecard focusing on nine primary review Topic Areas (TAs) of information security. The output provides executive management a clear indication of the information security posture of the agency's information security program, which can be used for executive decision-making. The structure of a PRISMA review is based upon the Software Engineering Institute's (SEI) former Capability Maturity Model (CMM).

The model measures an organization's developmental advancement by one of five maturity levels.

What are the five PRISMA maturity levels?

The levels are listed in increasing maturity as follows:

Maturity Level 1 Policies -Reviews the existence of documented policies
Maturity Level 2 Procedures -Reviews the existence of documented procedures
Maturity Level 3 Implementation -Reviews the implementation of the above
Maturity Level 4 Testing -Reviews the 'testing' of the implementation of the information security policies and procedures
Maturity Level 5 Integration -Reviews the program for 'integration' of the previous four maturity levels

What does a PRISMA review assess?

A PRISMA review focuses on part or all of the strategic and technical aspects of an information security program. The review identifies the level of maturity of the information security program and the ability to comply with the requirements in topic areas.

What are the nine PRISMA topic areas?

The nine topic areas are:

  • Information Security Management and Culture
  • Information Security Planning
  • Security Awareness, Training, and Education
  • Budget and Resources
  • Life Cycle Management
  • Certification and Accreditation
  • Critical Infrastructure Protection
  • Incident and Emergency Response
  • Security Controls

Below is an overview of a process flow for a general PRISMA review:

General NIST 7358 PRISMA review process

Figure - General NIST 7358 PRISMA Review Process

How are PRISMA review results classified?

The PRISMA Review Team member(s) determines whether the document is "compliant", "partially compliant", or "not compliant" when assessed against the PRISMA document criteria.

In part II we will discuss how to use PRISMA control maturity level, NIST 800-53 Priority Code, risk rating calculated using impact, and likelihood to generate risk-based priority for implementation of controls.

Key Takeaways

  • PRISMA is a maturity-based method for evaluating information security program posture.
  • The model uses five maturity levels: Policies, Procedures, Implementation, Testing, and Integration.
  • PRISMA reviews can cover strategic and technical dimensions of a security program.
  • Results are used to classify compliance status and support risk-based control prioritization.
Cybersecurity

GRC Insights That Matter

Exclusive updates on governance, risk, compliance, privacy, and audits — straight from industry experts.

Related Resources

Related Posts

NIST Implementation
Cybersecurity
NIST Implementation

Learn a practical NIST implementation approach: key standards, eight implementation stages, and high-level guidance to prioritize controls and reduce rework.

Read More
How to Build a Manageable Vulnerability Management Program - Part III
Cybersecurity
How to Build a Manageable Vulnerability Management Program - Part III

Learn the practical difference between vulnerability scanning and vulnerability management, common backlog causes, and a risk-based remediation approach.

Read More
Key Risk indicator & Key Performance Indicators Part I
Cybersecurity
Key Risk indicator & Key Performance Indicators Part I

An introduction to KRIs and KPIs with practical framing for risk-based prioritization, measurement, and management reporting.

Read More
background-line