Assessing implemented security controls

The goal of assessing the implemented security controls is to ensure that the controls have been adequately implemented as part of the information system.

In order to properly assess the information system's security controls you should be asking if the security controls are the following:

  • Implemented as expected: Are the agreed upon security control designs part of the production information system?
  • Operating appropriately: Are the security controls impacting the production system negatively and providing the required security functionality?

Testing security controls should be a formalized procedure within your organization. Security control implementation can be very complicated and there are typically a large number of requirements that need to be implemented. Without a formalized plan, you will find it very difficult to adequately and completely test your newly implemented security controls. Your testing procedures will be ad hoc, and you run the risk of missing important details.

The key activities that are part of the security control assessment phase are as follows:

  • Develop a security control assessment plan: A specific plan should be developed that addresses how you will conduct the assessment including:
    • What requirements will be tested?
    • What procedures will be used to conduct the tests?
    • What tools will be used to conduct testing?
  • Execute the security control assessment plan: Execute the previously developed plan against the production information system.
  • Develop the security assessment report: Based on your findings from the security control assessment document, develop the following:
    • Weaknesses: Specific security-related issues that adversely affect the overall security posture of the information system
    • Recommendations: Information that guides the subject matter expert in mitigating the finding
  • Remediate and reassess weaknesses: Mitigate weaknesses based on the security assessment report. Reassess after a weakness has been mitigated to ensure that the issue has been closed.

NIST Special Publication 800-37 Revision 1 provides further guidance on the topic of security control Assessment at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r1.pdf

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.143.4.181