Hi All,
Draft NIST Interagency Report (NISTIR) 8212, ISCMA: An Information Security Continuous Monitoring Program Assessment, provides an operational approach to the assessment of an organization's information security continuous monitoring (ISCM) program. The ISCM assessment (ISCMA) approach is consistent with the ISCM Program Assessment, as described in NIST SP 800-137A, Assessing ISCM Programs: Developing an ISCM Program Assessment. The ISCMA process proceeds according to the following five steps:
- Plan the approach
- Evaluate the elements
- Score the judgments
- Analyze the results
- Formulate actions
Included with the ISCMA approach in this report is ISCMAx, a free, publicly-available working implementation of ISCMA that can be tailored to fit the needs of the implementing organization. ISCMAx produces a detailed scorecard with associated graphical output and identifies conditions that may warrant further analysis. The ISCMAx tool is a Microsoft Excel application and can be used in the Windows operating system; it does not run on the Macintosh operating system. NISTIR 8212 provides complete instructions for both using ISCMAx as provided, and for tailoring ISCMAx, if desired. For instructions on using the ISCMAx tool, refer to Sec. 3, 4, and 5 of Draft NISTIR 8212. A public comment period for this document is open through November 13, 2020. See the publication details for a copy of the draft publication, ISCMAx tool (Recommended Judgment and Alternate Judgment, macro-enabled spreadsheet), and instructions for submitting comments-preferably using the comment template provided. For any questions, please contact [email protected].
------------------------------
Michael Roza CPA, CISA, CIA, MBA, Exec MBA
------------------------------