The security assessment policy establishes rules for how the organization will conduct information security testing on a new information system or information system components. This policy also establishes the rules for how information security continuous monitoring and reporting will be established for the organization.

What the security assessment policy should address:

• The periodic assessment of security controls in organizational information systems to determine if the controls are effective in their application
• The development and implementation of plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems
• The authorization to operational and organizational information systems and any associated information system connections by management
• The monitoring of information system security controls on an ongoing basis to ensure the continued effectiveness of the controls