The special sections in this document where the clearly defined guidelines on how to prepare for assessments, for instance; there where different set of preparations for both organizations and assessors. These guidelines are detailed enough to help you conduct a standard security assessment. For example, below is a brief Assessor Preparation plan; Establish appropriate organizational points of contact, Understand organization’s mission, functions, and business processes, Understand information system structure (i.e., system architecture), Understand security and privacy controls selected for assessment and relevant NIST standards and guidelines, Develop assessment plan and lastly, Obtain artifacts for assessment.
Hi Percy, it’s nice hearing from you. On of the most important processes that an organization can go through is the heuristic review of their systems and processes/controls. By supplying the basic details and structure of a security assessment, we are exposed to the ‘rubric’ that we will be graded on. By knowing this, we can be proactive in ensuring the security of our, data, people, and systems.
NIST 800-53A revision 4 (Assessing Security and Privacy Controls in Federal Information Systems and Organizations) is guidelines for building effective security assessment plans. One key point that I took from it is the control assessment process. It is important to understand the process how to assess the control according to SP800-53 in order to gain assurance. The organization should prepare assessment plan first. Then, the plan should be reviewed, approved, assessed, and reported respectively.
I completely agree that it’s important for an organization to understand the process of how to assess the controls. Referencing SP800-53, as you mentioned is crucial to knowing how to assess a control.
This publication can be used as a companion guideline to NIST SP 800-53. NIST SP 800-53 helps to determine what controls are required to manage risks while NIST SP 800-53A explains how to build risk assessment plans. In other words, NIST SP 800-53 handles Risk Management Framework’s Step 2, security and privacy control selection; NIST SP 800-53A handles RMF Step 4, Assess, and RMF Step 6, Monitor.
Hi Zeynep, Your points are very good. It is important for us to master the basic concept associated with the security and privacy control assessments which includes : integration of assessments into the system development life cycle, developing an organization-wide strategy for conducting security and privacy control assessment, building effective assurance cases to help increase confidence in the effectiveness of the security & privacy controls being assessed, and the enriching the content of assessment procedures.
This NIST document provides guidelines for building effective security assessment plans and privacy assessment plans as well as provides a comprehensive set of procedures for assessing the effectiveness of security controls and privacy controls employed in information systems and organizations supporting the executive agencies of the federal government.
The use of Special Publication 800-53A as a starting point in the process of defining procedures for assessing the security and privacy controls in information systems and organizations, promotes a consistent level of security and privacy and offers the needed flexibility to customize the assessment based on organizational policies and requirements as well as known threat and vulnerability information, operational considerations, information system and platform dependencies, and tolerance for risk.
The key takeaway for me from this document was the importance of security assessments during the system development lifecycle stage. Security and privacy assessments at this stage ensure that the required security and privacy controls for the system are properly designed and developed, correctly implemented, and consistent with the established organizational information security architecture before the system enters the operations and maintenance phase. This aids in resolving security and privacy related issues more quickly and in a much more cost-effective manner before proceeding to subsequent phases in the life cycle. This document also provides procedures for ongoing assessment and monitoring of security controls and privacy controls.
Through reading the NIST 800-53A publication titled “Assessing Security and Privacy Controls for Federal Information Systems and Organizations”, I’ve learned a significant amount about the strategies that organization’s employ for conducting control assessments. Among the more critical things that organizations and users must note is the necessity of the application of the risk management framework to all of the organization’s information systems, as well as the “organizational view of the security categorization process”. It is also important to note that the security and privacy control selection process is also performed early on in order to help ensure that that the organization’s information systems are appropriately categorized according to their business objectives.
Imran,
I had similar thoughts while reading. I also felt how much this whole process reflects back upon how well your initial data categorization and risk assessment is done. With a good categorization assessment it will make crafting the system security plan more efficient and accurate.
NIST sp 800-53A is a document that focuses on assessing the controls that were selected from NIST sp-800 53. The goal of this document is to provide a framework to build procedures to assess and verify that implemented security and privacy controls are meeting stated goals and objectives. After doing and assessment based on the guidance of 53a you should come away with evidence of effectiveness of implemented controls, an idea of the quality of the risk assessment process done by the organization and strength and weaknesses of the controls.
You have provided a very good summary about the purpose of NIST 800-53A SP. This document provides good procedures for verifying the effectiveness of the implemented security and privacy controls. These metrics can be used by the management in assessing the security posture of the organization as well as take efforts to ensure continuous improvement for future.
It peaked my interest the amount of flexibility that an assessor has toward creating/organizing an assessment plan. What assessors will do to save time, costs and maximize the usefulness of assessment results, they will review the selected assessment procedures for the security or privacy control area and consolidate whichever procedures work together. I found this very effective because it’ll help the organization maximize its efficiency with security or privacy controls with the combination of assessment procedures.
Hi, Dorely
I was also interested in the resource saving section when I read.Help organizations or enterprises find the right cost to solve IT risk problems.Combine IT with business.
One key take away from the NIST 800 53Ar4 Assessing Security and Privacy Controls is understanding how to prepare for security and privacy control assessments. Conducting security control assessments and privacy control assessments in today’s complex cyber environment can be difficult, challenging, and resource-intensive. Security and privacy control assessments may be conducted by different organizational entities with distinct oversight responsibilities. However, success requires the cooperation and collaboration among all parties having a vested interest in the organization’s information security or privacy posture. Establishing an appropriate set of expectations before, during, and after an assessment is paramount to achieving an acceptable outcome—that is, producing information necessary to help the authorizing official make a credible, risk-based decision on whether to place the information system into operation or continue its operation.
One key takeaway from NIST 800-53Ar4 when conducting control assessments is the idea that maximizing the number of common controls within an organization can reduce the cost of development, implementation, and overall assessment of privacy and security controls. Having this in mind during the early stages of the SDLC is the most efficient way to meet this goal, so fixing security/privacy related issues can be resolved prior to the system in its maintenance phase. Conducting security control assessments during these early stages basically means that we needs to be two or three steps ahead of anyone else, which can certainly be a challenge, but in the end it is what is most cost effective and time saving for everyone involved.
Maximizing the number of common controls is very useful when conducting control assessments as there will be industry standards for the control and its mitigation.
NIST 800 53A outlines the process of Assessing various aspects of federal agency buildings. When the begging the assessment of any systems, it begins with a heuristic review (as learned in previous ITACS classes). From there, the diligence of the auditor come into full display with the required documentation and selection of the best recommendations to further the governments security agenda. Remaining on the offensive with a proactive approach is the best when dealing with state run hacking organization,
NIST 800 53Ar4 evaluates security procedures and risk ratings, and also provides information on establishing effective security and privacy assessment plans.Help companies align acceptable risk levels with the organization’s risk tolerance.The evaluation of the plan is the first step.Business processes can be effectively protected only if the plan is aligned with the organization’s business objectives.Categorize and schedule effective controls based on the organization’s information systems and business models.Help organizations or enterprises to effectively recognize their IT security information.
Hello,
After reading through your thoughts and takeaways from the NIST 800-53A publication titled “Assessing Security and Privacy Controls for Federal Information Systems and Organizations”, I felt a little bit more secure in the information that I took away from the lesson, as you summarized most of what I can recall from reading the chapter off the top of my head. It’s good that you emphasized the importance of the assessment plans being relevant to the organization’s business objectives, as that is one of the primary reasons why we do assessments in the first place.
Hello Han, You have a good point. Security and privacy assessments can as well be conducted during the operations and maintenance phase of the life cycle to ensure that security and privacy controls continue to be effective in the operational environment and can protect against constantly evolving threats. Security assessments are typically conducted by information system owners, common control providers, information system security officers, independent assessors, auditors, and Inspectors General
NIST 800-53r4 Appendix F is the main catalog of Security Controls arranged by control families. In addition to that, Appendix G is a catalog of Program Management controls. Both are useful in documenting in the context of RMF (Risk Management Framework) for the System Security Plans (SSP) and Information Security Program Plans (ISPP).
The key takeaway for me from NIST 800 53Ar4 is about how to build an effective assurance case. System assessments are typically conducted by personnel that are familiar with information systems. Building an effective case is a process that involves both compiling the evidence and presenting the evidence. The evidence that need compile and present usually comes from the implementation of the security and privacy controls in the information system and inherited by the system and from the assessments of that implementation.
The special sections in this document where the clearly defined guidelines on how to prepare for assessments, for instance; there where different set of preparations for both organizations and assessors. These guidelines are detailed enough to help you conduct a standard security assessment. For example, below is a brief Assessor Preparation plan; Establish appropriate organizational points of contact, Understand organization’s mission, functions, and business processes, Understand information system structure (i.e., system architecture), Understand security and privacy controls selected for assessment and relevant NIST standards and guidelines, Develop assessment plan and lastly, Obtain artifacts for assessment.
Hi Percy, it’s nice hearing from you. On of the most important processes that an organization can go through is the heuristic review of their systems and processes/controls. By supplying the basic details and structure of a security assessment, we are exposed to the ‘rubric’ that we will be graded on. By knowing this, we can be proactive in ensuring the security of our, data, people, and systems.
NIST 800-53A revision 4 (Assessing Security and Privacy Controls in Federal Information Systems and Organizations) is guidelines for building effective security assessment plans. One key point that I took from it is the control assessment process. It is important to understand the process how to assess the control according to SP800-53 in order to gain assurance. The organization should prepare assessment plan first. Then, the plan should be reviewed, approved, assessed, and reported respectively.
Hi Numneung,
I completely agree that it’s important for an organization to understand the process of how to assess the controls. Referencing SP800-53, as you mentioned is crucial to knowing how to assess a control.
Best,
Natalie Dorely
This publication can be used as a companion guideline to NIST SP 800-53. NIST SP 800-53 helps to determine what controls are required to manage risks while NIST SP 800-53A explains how to build risk assessment plans. In other words, NIST SP 800-53 handles Risk Management Framework’s Step 2, security and privacy control selection; NIST SP 800-53A handles RMF Step 4, Assess, and RMF Step 6, Monitor.
Hi Zeynep, Your points are very good. It is important for us to master the basic concept associated with the security and privacy control assessments which includes : integration of assessments into the system development life cycle, developing an organization-wide strategy for conducting security and privacy control assessment, building effective assurance cases to help increase confidence in the effectiveness of the security & privacy controls being assessed, and the enriching the content of assessment procedures.
This NIST document provides guidelines for building effective security assessment plans and privacy assessment plans as well as provides a comprehensive set of procedures for assessing the effectiveness of security controls and privacy controls employed in information systems and organizations supporting the executive agencies of the federal government.
The use of Special Publication 800-53A as a starting point in the process of defining procedures for assessing the security and privacy controls in information systems and organizations, promotes a consistent level of security and privacy and offers the needed flexibility to customize the assessment based on organizational policies and requirements as well as known threat and vulnerability information, operational considerations, information system and platform dependencies, and tolerance for risk.
The key takeaway for me from this document was the importance of security assessments during the system development lifecycle stage. Security and privacy assessments at this stage ensure that the required security and privacy controls for the system are properly designed and developed, correctly implemented, and consistent with the established organizational information security architecture before the system enters the operations and maintenance phase. This aids in resolving security and privacy related issues more quickly and in a much more cost-effective manner before proceeding to subsequent phases in the life cycle. This document also provides procedures for ongoing assessment and monitoring of security controls and privacy controls.
Through reading the NIST 800-53A publication titled “Assessing Security and Privacy Controls for Federal Information Systems and Organizations”, I’ve learned a significant amount about the strategies that organization’s employ for conducting control assessments. Among the more critical things that organizations and users must note is the necessity of the application of the risk management framework to all of the organization’s information systems, as well as the “organizational view of the security categorization process”. It is also important to note that the security and privacy control selection process is also performed early on in order to help ensure that that the organization’s information systems are appropriately categorized according to their business objectives.
Imran,
I had similar thoughts while reading. I also felt how much this whole process reflects back upon how well your initial data categorization and risk assessment is done. With a good categorization assessment it will make crafting the system security plan more efficient and accurate.
NIST sp 800-53A is a document that focuses on assessing the controls that were selected from NIST sp-800 53. The goal of this document is to provide a framework to build procedures to assess and verify that implemented security and privacy controls are meeting stated goals and objectives. After doing and assessment based on the guidance of 53a you should come away with evidence of effectiveness of implemented controls, an idea of the quality of the risk assessment process done by the organization and strength and weaknesses of the controls.
Hello Chris,
You have provided a very good summary about the purpose of NIST 800-53A SP. This document provides good procedures for verifying the effectiveness of the implemented security and privacy controls. These metrics can be used by the management in assessing the security posture of the organization as well as take efforts to ensure continuous improvement for future.
It peaked my interest the amount of flexibility that an assessor has toward creating/organizing an assessment plan. What assessors will do to save time, costs and maximize the usefulness of assessment results, they will review the selected assessment procedures for the security or privacy control area and consolidate whichever procedures work together. I found this very effective because it’ll help the organization maximize its efficiency with security or privacy controls with the combination of assessment procedures.
Hi, Dorely
I was also interested in the resource saving section when I read.Help organizations or enterprises find the right cost to solve IT risk problems.Combine IT with business.
One key take away from the NIST 800 53Ar4 Assessing Security and Privacy Controls is understanding how to prepare for security and privacy control assessments. Conducting security control assessments and privacy control assessments in today’s complex cyber environment can be difficult, challenging, and resource-intensive. Security and privacy control assessments may be conducted by different organizational entities with distinct oversight responsibilities. However, success requires the cooperation and collaboration among all parties having a vested interest in the organization’s information security or privacy posture. Establishing an appropriate set of expectations before, during, and after an assessment is paramount to achieving an acceptable outcome—that is, producing information necessary to help the authorizing official make a credible, risk-based decision on whether to place the information system into operation or continue its operation.
One key takeaway from NIST 800-53Ar4 when conducting control assessments is the idea that maximizing the number of common controls within an organization can reduce the cost of development, implementation, and overall assessment of privacy and security controls. Having this in mind during the early stages of the SDLC is the most efficient way to meet this goal, so fixing security/privacy related issues can be resolved prior to the system in its maintenance phase. Conducting security control assessments during these early stages basically means that we needs to be two or three steps ahead of anyone else, which can certainly be a challenge, but in the end it is what is most cost effective and time saving for everyone involved.
Hi Sarah,
Maximizing the number of common controls is very useful when conducting control assessments as there will be industry standards for the control and its mitigation.
NIST 800 53A outlines the process of Assessing various aspects of federal agency buildings. When the begging the assessment of any systems, it begins with a heuristic review (as learned in previous ITACS classes). From there, the diligence of the auditor come into full display with the required documentation and selection of the best recommendations to further the governments security agenda. Remaining on the offensive with a proactive approach is the best when dealing with state run hacking organization,
NIST 800 53Ar4 evaluates security procedures and risk ratings, and also provides information on establishing effective security and privacy assessment plans.Help companies align acceptable risk levels with the organization’s risk tolerance.The evaluation of the plan is the first step.Business processes can be effectively protected only if the plan is aligned with the organization’s business objectives.Categorize and schedule effective controls based on the organization’s information systems and business models.Help organizations or enterprises to effectively recognize their IT security information.
Hello,
After reading through your thoughts and takeaways from the NIST 800-53A publication titled “Assessing Security and Privacy Controls for Federal Information Systems and Organizations”, I felt a little bit more secure in the information that I took away from the lesson, as you summarized most of what I can recall from reading the chapter off the top of my head. It’s good that you emphasized the importance of the assessment plans being relevant to the organization’s business objectives, as that is one of the primary reasons why we do assessments in the first place.
Hello Han, You have a good point. Security and privacy assessments can as well be conducted during the operations and maintenance phase of the life cycle to ensure that security and privacy controls continue to be effective in the operational environment and can protect against constantly evolving threats. Security assessments are typically conducted by information system owners, common control providers, information system security officers, independent assessors, auditors, and Inspectors General
NIST 800-53r4 Appendix F is the main catalog of Security Controls arranged by control families. In addition to that, Appendix G is a catalog of Program Management controls. Both are useful in documenting in the context of RMF (Risk Management Framework) for the System Security Plans (SSP) and Information Security Program Plans (ISPP).
The key takeaway for me from NIST 800 53Ar4 is about how to build an effective assurance case. System assessments are typically conducted by personnel that are familiar with information systems. Building an effective case is a process that involves both compiling the evidence and presenting the evidence. The evidence that need compile and present usually comes from the implementation of the security and privacy controls in the information system and inherited by the system and from the assessments of that implementation.