Program Review for Information Security Management Assistance (PRISMA)

The Program Review for Information Security Management Assistance (PRISMA) includes many review options and incorporates guidelines contained in Special Publication 800-53, Recommended Security Controls for Federal Information Systems. The PRISMA is based upon existing federal directives including Federal Information Security Management Act (FISMA), NIST guidelines and other proven techniques and recognized best practices in the area of information security.

PRISMA has three primary objectives:

• To assist agencies in improving their information security programs
• To support Critical Infrastructure Protection (CIP) Planning
• To facilitate exchange of effective security practices within the federal community

PRISMA provides an independent review of the maturity of an agency's information security program. The review is based upon a combination of proven techniques and best practices and results in an action plan that provides a federal agency with a business case-based roadmap to cost-effectively enhance the protection of their information system assets. The PRISMA review, which is not an audit or an inspection, begins with an assessment of the maturity of the agency's information security program. This includes the agency's information security policies, procedures, and security controls implementation and integration across all business areas. The PRISMA team performs a comparable review of the agency's organizational structure, culture, and business mission. After the assessment is performed, the PRISMA team documents issues identified during the assessment phase and provides corrective actions associated with each issue. These corrective actions are then provided as a prioritized action plan for the agency to use to improve their information security program. The resulting action plan is weighted to provide the agency the greatest improvements, the most cost-effectively. The corrective actions the PRISMA team identifies include the time frame for implementation and the projected resource impact. The action plan can readily be used to develop scopes of work for quick "bootstrapping" of the information security program.

PRISMA focuses on nine primary review areas, each of which were derived from FISMA requirements and guidelines found in SP 800-53. Agencies may choose one of two pre-defined review options.