Two new publications issued by the National Institute of Standards and Technology (NIST) will help senior executives, auditors and others in federal agencies better understand how to manage, support, and evaluate their information security programs.
Information Security Guide for Government Executives (NISTIR 7359) was developed specifically to help senior managers better understand how to oversee and support information security programs. According to the 14-page document, "senior management's commitment to information security initiatives is the single most critical element that impacts an information security program's success." The guide answers five key questions about information security for senior managers:
- Why do I need to invest in information security?
- Where do I need to focus my attention in accomplishing critical information security goals?
- What are the key activities to build an effective information security program?
- What are the information security laws, regulations, standards and guidance that I need to understand to build an effective information security program?
- Where can I learn more to assist me in evaluating the effectiveness of my information security program?
Program Review for Information Security Management Assistance (PRISMA) (NISTIR 7358) explains a standardized approach that organizations can use to review and measure the maturity of an information security program in nine areas. Eight of the areas focus on management and operation of the information security program and evaluate the agency's ability to comply with existing requirements. They include: information security management and culture; information security planning; security awareness training, and education; budget and resources; life cycle management; certification and accreditation; critical infrastructure protection; and incident and emergency response. The ninth area, security controls, reviews the technical aspects of the overall information security program.
Both publications are available at http://csrc.nist.gov/publications/nistir/index.html.