The key point takes away is security control assessment. There are two types of security assessment: micro and macro perspective. In a narrow sense, it refers to the analysis and evaluation of the inherent or potential hazards and their severity in a working system with a specific function, and to make a quantitative expression with a predetermined index, level, or probability value, and finally decide to make the decision based on the quantitative value Preventive or protective countermeasures. Broadly speaking, it refers to the use of system engineering principles and methods to comprehensively evaluate and predict the possible hazards and possible consequences of the proposed or existing projects and systems and to propose corresponding safety countermeasures according to the magnitude of the accident risk that may result, To achieve the process of engineering and system safety. Evaluation should include determining the currently acceptable level of risk, measuring the current level of risk, and determining what can be done by comparing the two.
HI Zibai,
I agree that it is very important to understand how to control and evaluate control. According to my experience, understanding and analyzing controls is usually a major part of previous work when dealing with new businesses. Sometimes the required granularity level is tedious, but it is necessary for proper evaluation/audit control. Doing a good job of basic work in advance also contributes to the follow-up audit of the same entity.
NIST SP 800-53 AR4 provides guidelines for establishing effective security assessment plans and privacy assessment plans, and provides a comprehensive set of procedures for evaluating the effectiveness of security and privacy controls used in information systems and organizations that support federal government enforcement agencies. In defining evaluate the security and privacy in the information system and organization in the process of control program, NIST SP 800-53 can improve the consistent level of security and privacy, and provide the flexibility needed to based on the following custom assessment organization strategy and requirements, and the known threats and vulnerabilities information, operation points for attention, information system and platform dependent, and the risk to bear ability.
Evaluation of the effectiveness of controls is vital to ensuring they meet the required threshold. This publication provides the most important guidelines to making accurate/relevant evaluations.
This really helps to decompose the process of assessing the safety control of information systems. Assessment objectives may involve many different methods and objects. Objects can be people or activities, and methods can be decomposed into tests, examinations, and interviews. Also, the depth and convergent attribute values are assigned to the method, which is related to the level of assurance required for the overall assessment. Attribute values can be basic, centralized, or comprehensive. Understanding the options that can be used to help assess control helps to develop assessment plans. This NIST publication shows the degree of detail of the process, but it is also decomposed in a very organized way, similar to the classification concepts in FIPS 199.
Hi Haozhe,
Thanks for your sharing. One of the most important processes an organization can go through is a heuristic review of its systems and processes/controls. By providing the basic details and structure of the security assessment, we can understand the rationale for the rating to be performed. By understanding this, we can proactively ensure the safety of our data, people and systems.
One point is the integration of assessments into the system development life cycle. The purpose of implement security and privacy assessments in the system development life cycle is to ensure that security and privacy controls are effectively carried out in the operational environment and help to protect against constantly evolving threats. Usually, security assessments are in charge of information system owners, common control providers, information system security officers, independent assessors, auditors, and Inspectors General. Privacy assessments are typically conducted by senior agency officials for privacy/privacy officers and privacy staff. In the initial system development life cycle, security assessments phases include design and code reviews and so on. Before proceeding to subsequent phases in the life cycle, security-related and privacy-related weaknesses and deficiencies identified early in the system development life cycle can be resolved more quickly and in a much more cost-effective manner. At the end of the life cycle, privacy assessments and security assessments are conducted to ensure that important organizational information is purged from the information system prior to disposal.
This document helps us understand how to make an assessment of a security control. One key point I learned is an assessment is an information gathering activity and not necessarily related to security. With this in mind, you must create two separate assessments with a focus on privacy and security or one integrated plan. Section 3.2 has the information which helps end users develop both of those assessments. Here we learn the steps which are taken by the assessors. The first step is to find out which controls need to be assessed, based on the plans and purpose of the assessments. Then they have to choose which procedures they need to use to assess the controls. Then, you customize the assessment procedure and develop additional assessment procedures when necessary. You also want to make sure you’re not duplicating efforts. You’ll want to try to optimize the assessment procedures and see if you can streamline some of the checks. This will help save costs. Once you have the most efficient assessment plans, you finalize them and get them approved. Overall, I learned a lot while reviewing this document. It is very useful when coming up with these plans.
Hi, Jonathan, I agree with your point of view. When gathering information, it is not necessarily related to security. Privacy also plays a critical role during the process. It is important to keep in mind that, when constructing an assessment, the conductor should have two different planes with a focus on a different points.
Nist 800 53Ar4 is written to facilitate security control assessments and privacy control assessments conducted within an effective risk management framework. A well-executed assessment helps determine the validity of the controls contained in the organization’s security plans and privacy plans. It also Facilitates a cost-effective approach to correcting weaknesses or deficiencies in systems
The purpose of this publication is to provide guidelines for building effective security assessment plans and privacy assessment plans. It also creates a comprehensive set of procedures for assessing the effectiveness of security controls and privacy controls employed in information systems and organizations supporting the executive agencies of the federal government.
In NIST 800-53Ar4, one key point I thought was important was section 3.2, which discusses Developing Security and Privacy Assessment Plans. In this section, objectives are put in place to make sure that organizational information systems have plans in place to keep security and privacy at a high level. These plans include:
• Determine which security and privacy controls/control enhancements are to be included in assessments based upon the contents of the security plan and privacy plan and the purpose and scope of the assessments;
• Select the appropriate assessment procedures to be used during assessments based on the security or privacy controls and control enhancements to be included in the assessments;
• Tailor the selected assessment procedures (e.g., select appropriate assessment methods and objects, assign depth and coverage attribute values);
• Develop additional assessment procedures to address any security requirements or privacy requirements or controls that are not sufficiently covered by Special Publication 800-53;
• Optimize the assessment procedures to reduce duplication of effort (e.g., sequencing and consolidating assessment procedures) and provide cost-effective assessment solutions; and
• Finalize assessment plans and obtain the necessary approvals to execute the plans.
Having these procedures in place provides a baseline security and privacy objective for organizations to use to fully benefit from the plans.
This section ties well into 3.1 above it. I do find the point on optimization to be very important especially since there is high collaboration between various units/personnel within the organization. Without reducing/eliminating duplication of tasks and process there shall be a lot of wastages in time and resources.
The NIST special publication 800-53A revision 4 is about how to assessing security and privacy controls in federal information system and organizations. The purpose is to guide audience to build an effective assessment plans. A security and privacy control assessors/assessment begin preparing for their respective assessment, they need to obtaining a general understanding of the organization’s operations, and what is the critical information that supports the business daily operation. They also need to obtaining an understanding of the structure of the information system, identifying the organizational entities responsible for the development and implementation of the common controls, meeting with appropriate organizational officials to ensure common understanding for assessment objectives and the proposed rigor and scope of the assessment. It needs to obtaining artifacts needed for the assessment. It need to establishing appropriate organizational points of contact needed to carry out the assessments.
The process of preparing for security and privacy control assessments stands out from this publication. Given the complexity in IT systems and environments today. The publication outlines in chapter three the need for collaboration among different entities within the organization in conducting security and privacy control assessments. There is a detailed suggestion of in-depth collaboration and involvement of all personnel from the various units involved in information handling at any given level.
The organization and all assessors need to go through a thorough preparation before conducting a security control assessment and privacy control assessment. There is a recommended set of guidelines that must be adhered to as well.
Thanks Humbert for summarizing the major roles and responsibilities involved in the control assessment process. Like you it was interesting to me how detailed the publication was even in suggesting where collaboration on the assessment should occur. I focused on common versus system specific control classes. I can see where collaboration among the parties who support information or information systems along with senior officials at the agency would allow for a more cohesive set of common and system specific controls and ensure adequate understanding of the controls and their effectiveness.
Hi, Humbert. I like you mentioned that the need for collaboration among different entities within the organization in conducting security and privacy control assessments. For example, only other departments, such as the operation department, request for help, but not tell the IT department what they need to solve the problem. It is not effective and wasting time in doing the wrong things. If he or she can provide more details of the problem, it can help both of them saving time.
This publication goes over guidelines for building a security assessment plan. In essence, security assessment is an information-gathering activity, not a security activity. NIST 800-53A is meant to be a starting point in the process of defining procedures for assessing the security and privacy controls in information systems. Security assessments or necessary to determine how effective the current security controls in place are. These are generally broken up into two different assessments, one for privacy and another for security. Security assessments would include controls assigned to devices such as firewalls, proxy servers, SIEM, and server patching. Privacy assessments may include reviewing the controls that oversee how information is automatically logged and/or not explicitly consented by a user, whether the company website shares information with third parties, or how the organization verifies the identity of the person/parties accessing the data.
I think it’s great you touched on how imperative it is for this document to lay out specific privacy assessments. More and more organizations are sharing information without our consent, or we give consent inadvertently when we hit “I Agree” on the terms and conditions on a site in order to use their service.
This publication assists in assessing and auditing the security and privacy controls for Federal Information Systems and information systems. Security assessments provide guidance on how to assess a system’s security controls and evaluates how effective the controls are protecting the system from potential threats. Additionally, a security assessment can help identify any vulnerabilities within the system and the business process it supports. If there are vulnerabilities, the assessment can determine next steps on remediation steps, how to prevent future attacks, and low the risk for the system. Privacy assessments help an organization identify potential impacts in the collection and usage of data from new projects and other initiatives. In order to complete both assessments accurately, there needs to be support from the responsible line of businesses and technology.
I think its interesting when you touched on potential impacts in the collection and usage of data from new projects. This is a time where two organizations are first joining together meaning that the security controls may not have been implemented as of yet or were possibly done incorrectly which would leave a small gap before they were fixed for attackers or even inside employees to take advantage of it.
This document talks about the security and privacy assessments which can be carried out at various stages in the SDLC life cycle to ensure the controls implemented are effective. Building an effective assurance case involves compiling evidence from various activities during SDLC life cycle to ensure the controls are effective and operating as intended. The document provides an example Figure 1 highlighting the effectiveness of security control CP-9 information system backup. It highlights the assessment objective and if it protects the confidentiality, integrity, and availability of backup information at storage locations, potential assessment methods and objects. Section 3.2 goes over the steps to develop security and privacy assessment plans. The steps include of determining the security and privacy controls enhancements, select appropriate assessment procedures, tailor the selected assessment procedures, develop additional assessment procedures, optimize assessment procedures, and finalize assessment plans. The results of this assessment will then influence control implementations, the content of security plans and privacy plans.
Organizations understand how to develop an organization-wide strategy that can help them to conduct a cost-effective security and privacy control assessment. This strategy needs to be applicable to both the risk management framework and the organizational information systems, so the organizations can identify the risk categories and select the appropriate controls to mitigate the risk to an acceptable level. During the process, the organizations determine the threats and vulnerabilities to develop the assessment; have the capability to review the results of the assessment to make decisions that can mitigate the risk; and are able to provide an overall review of weaknesses and deficiencies within the information system. When having more specific assessment procedures, the organizations can have a cost-effective assessment. In doing so, the organization’s respective authorizing officials need to have a clear responsibility, so they can implement the controls early and facilitate a more global strategy to complete the risk assessment.
The reading is focused on the control assessment process after the security controls have been selected. The assessment process looks to ensure the security controls are aligned to the correct level of controls, common or system specific as well as whether the control is actually satisfying the security objective outlined as part of the control selection. Interesting portion of the reading was using security and privacy capabilities to evaluate controls. This lens allows organizations to root cause analyze particular control failures against all the controls that apply to a specific capability and that a single capability usually has a suite of controls for that process. Thus the determination of control effectiveness for the control assessment is based on all the controls for a capability and not a single control. This really allows the organization to focus on the overall security objective rather than a single control.
The assessment procedures stood out to me from this reading. It consists of objectives, with each objective containing a set of methods and objects. Assessment objects identify the specific items in question and includes specifications, mechanisms, activities and individuals. The assessment methods include examining, interviewing and testing. These are used to go through the objects and help the team figure out what needs to be valued more critically as well as put everything into view so that the organization can be viewed as broken down as possible. This helps because rather than saying an issue arose from this area, they can pinpoint an exact location or criteria within that area rather than keeping things broad.
Information security is described as one of the many required operational capabilities for the information system to support the organizational mission/business processes. It’s often put on the backburner as a luxury and not a necessity but as the imminent cyber threats continuously grow, organizations need to understand their security environment to conduct business safely. Some baselines for achieving adequate information security for the organization, their mission/processes, and for their information systems are:
– Have clear, specific, well-defined security requirements.
-Have well-designed and well-built information technology p[rocuts based on security best practice and state of the art hardware designs
– Sound system/security engineering principles that are used to maintain and integrate the information technology products used into the organization’s information systems
– Having continuous monitoring controls to ensure the effectiveness of the security controls and to upkeep for any changes to the system, while still maintaining compliance with defines policies/standards,
-Creating a well-defined information security plan and system development life cycle
These are just the bare minimum needed to effectively ensure information security is used to protect the company’s system. There will be a need for custom tailoring as well to ensure all areas of scope in the security environment are covered.
With the continuous development of cloud computing, Internet of Things, big data and other technologies, the collection, sorting, analysis and prediction methods of user data in information system services are constantly mature. All kinds of directional services based on location tracking and behavior preference record provide convenience for People’s Daily life, but at the same time, more and more people are concerned about privacy. Data, as the core value and important asset of modern business and individuals, is reshaping every aspect of human life. In the era of digital economy, the importance of data as a factor of production is increasingly prominent. With the frequent leakage of data, data privacy security has become an urgent problem. The existing privacy protection mainly starts from two aspects: privacy protection, privacy measurement and evaluation in the process of information processing. In fact, data privacy is the first problem to be solved when entering the digital society.
This document provides a set of procedures for evaluating security and privacy controls adopted within federal information systems and organizations. The assessment procedures performed at all stages of the system development life cycle are consistent with the security and privacy controls in NIST special publication 800-53, 4th Edition. These procedures are customizable and can be easily customized to provide the necessary flexibility for the organization to conduct security control assessment and privacy control assessment to support the organization’s risk management process and be consistent with the organization’s prescribed risk tolerance. Information on establishing effective security and privacy assessment plans, and guidance on analyzing assessment results.
This document works in conjunction with SP 800-53r4. While the aforementioned publication provides the controls to choose from, this supporting document enables IS professional to asses the security and effective of said controls. The goal of this document is to give insight into how to asses if the control was implemented correctly, operating as. It was intended and if the control is “producing the right outcome with respect to meeting the security and privacy requirements for the system and organization.”
I found this publication particularly interesting as it gives a better understanding of each control and how it should be expected to function based on the need of the company. Understanding the implementation, effectiveness and basic expectation of the control is imperative as it could help eliminate a control altogether or help select a better control that fits the need.
One of the important takeaways from this document “Assessing Security and Privacy Controls for Federal Info and Info Sys” is security control assessment. The document states that there are two types of security assessment:
Micro perspective: refers to the analysis and evaluation of the inherent or potential hazards and their severity in the system with a specific function.
Macro perspective: this refers to the use of system engineering and its principles to evaluate and analyze and predict the possible hazards and possible consequences of the proposed
Hi, Prince, I agree your point. I think the the most important thing in this document is these procedures are customizable and can be easily customized to provide the necessary flexibility for the organization to conduct security control assessment and privacy control assessment to support the organization’s risk management process.
The key point takes away is security control assessment. There are two types of security assessment: micro and macro perspective. In a narrow sense, it refers to the analysis and evaluation of the inherent or potential hazards and their severity in a working system with a specific function, and to make a quantitative expression with a predetermined index, level, or probability value, and finally decide to make the decision based on the quantitative value Preventive or protective countermeasures. Broadly speaking, it refers to the use of system engineering principles and methods to comprehensively evaluate and predict the possible hazards and possible consequences of the proposed or existing projects and systems and to propose corresponding safety countermeasures according to the magnitude of the accident risk that may result, To achieve the process of engineering and system safety. Evaluation should include determining the currently acceptable level of risk, measuring the current level of risk, and determining what can be done by comparing the two.
HI Zibai,
I agree that it is very important to understand how to control and evaluate control. According to my experience, understanding and analyzing controls is usually a major part of previous work when dealing with new businesses. Sometimes the required granularity level is tedious, but it is necessary for proper evaluation/audit control. Doing a good job of basic work in advance also contributes to the follow-up audit of the same entity.
NIST SP 800-53 AR4 provides guidelines for establishing effective security assessment plans and privacy assessment plans, and provides a comprehensive set of procedures for evaluating the effectiveness of security and privacy controls used in information systems and organizations that support federal government enforcement agencies. In defining evaluate the security and privacy in the information system and organization in the process of control program, NIST SP 800-53 can improve the consistent level of security and privacy, and provide the flexibility needed to based on the following custom assessment organization strategy and requirements, and the known threats and vulnerabilities information, operation points for attention, information system and platform dependent, and the risk to bear ability.
Evaluation of the effectiveness of controls is vital to ensuring they meet the required threshold. This publication provides the most important guidelines to making accurate/relevant evaluations.
This really helps to decompose the process of assessing the safety control of information systems. Assessment objectives may involve many different methods and objects. Objects can be people or activities, and methods can be decomposed into tests, examinations, and interviews. Also, the depth and convergent attribute values are assigned to the method, which is related to the level of assurance required for the overall assessment. Attribute values can be basic, centralized, or comprehensive. Understanding the options that can be used to help assess control helps to develop assessment plans. This NIST publication shows the degree of detail of the process, but it is also decomposed in a very organized way, similar to the classification concepts in FIPS 199.
Hi Haozhe,
Thanks for your sharing. One of the most important processes an organization can go through is a heuristic review of its systems and processes/controls. By providing the basic details and structure of the security assessment, we can understand the rationale for the rating to be performed. By understanding this, we can proactively ensure the safety of our data, people and systems.
One point is the integration of assessments into the system development life cycle. The purpose of implement security and privacy assessments in the system development life cycle is to ensure that security and privacy controls are effectively carried out in the operational environment and help to protect against constantly evolving threats. Usually, security assessments are in charge of information system owners, common control providers, information system security officers, independent assessors, auditors, and Inspectors General. Privacy assessments are typically conducted by senior agency officials for privacy/privacy officers and privacy staff. In the initial system development life cycle, security assessments phases include design and code reviews and so on. Before proceeding to subsequent phases in the life cycle, security-related and privacy-related weaknesses and deficiencies identified early in the system development life cycle can be resolved more quickly and in a much more cost-effective manner. At the end of the life cycle, privacy assessments and security assessments are conducted to ensure that important organizational information is purged from the information system prior to disposal.
This document helps us understand how to make an assessment of a security control. One key point I learned is an assessment is an information gathering activity and not necessarily related to security. With this in mind, you must create two separate assessments with a focus on privacy and security or one integrated plan. Section 3.2 has the information which helps end users develop both of those assessments. Here we learn the steps which are taken by the assessors. The first step is to find out which controls need to be assessed, based on the plans and purpose of the assessments. Then they have to choose which procedures they need to use to assess the controls. Then, you customize the assessment procedure and develop additional assessment procedures when necessary. You also want to make sure you’re not duplicating efforts. You’ll want to try to optimize the assessment procedures and see if you can streamline some of the checks. This will help save costs. Once you have the most efficient assessment plans, you finalize them and get them approved. Overall, I learned a lot while reviewing this document. It is very useful when coming up with these plans.
Hi, Jonathan, I agree with your point of view. When gathering information, it is not necessarily related to security. Privacy also plays a critical role during the process. It is important to keep in mind that, when constructing an assessment, the conductor should have two different planes with a focus on a different points.
Nist 800 53Ar4 is written to facilitate security control assessments and privacy control assessments conducted within an effective risk management framework. A well-executed assessment helps determine the validity of the controls contained in the organization’s security plans and privacy plans. It also Facilitates a cost-effective approach to correcting weaknesses or deficiencies in systems
The purpose of this publication is to provide guidelines for building effective security assessment plans and privacy assessment plans. It also creates a comprehensive set of procedures for assessing the effectiveness of security controls and privacy controls employed in information systems and organizations supporting the executive agencies of the federal government.
In NIST 800-53Ar4, one key point I thought was important was section 3.2, which discusses Developing Security and Privacy Assessment Plans. In this section, objectives are put in place to make sure that organizational information systems have plans in place to keep security and privacy at a high level. These plans include:
• Determine which security and privacy controls/control enhancements are to be included in assessments based upon the contents of the security plan and privacy plan and the purpose and scope of the assessments;
• Select the appropriate assessment procedures to be used during assessments based on the security or privacy controls and control enhancements to be included in the assessments;
• Tailor the selected assessment procedures (e.g., select appropriate assessment methods and objects, assign depth and coverage attribute values);
• Develop additional assessment procedures to address any security requirements or privacy requirements or controls that are not sufficiently covered by Special Publication 800-53;
• Optimize the assessment procedures to reduce duplication of effort (e.g., sequencing and consolidating assessment procedures) and provide cost-effective assessment solutions; and
• Finalize assessment plans and obtain the necessary approvals to execute the plans.
Having these procedures in place provides a baseline security and privacy objective for organizations to use to fully benefit from the plans.
This section ties well into 3.1 above it. I do find the point on optimization to be very important especially since there is high collaboration between various units/personnel within the organization. Without reducing/eliminating duplication of tasks and process there shall be a lot of wastages in time and resources.
The NIST special publication 800-53A revision 4 is about how to assessing security and privacy controls in federal information system and organizations. The purpose is to guide audience to build an effective assessment plans. A security and privacy control assessors/assessment begin preparing for their respective assessment, they need to obtaining a general understanding of the organization’s operations, and what is the critical information that supports the business daily operation. They also need to obtaining an understanding of the structure of the information system, identifying the organizational entities responsible for the development and implementation of the common controls, meeting with appropriate organizational officials to ensure common understanding for assessment objectives and the proposed rigor and scope of the assessment. It needs to obtaining artifacts needed for the assessment. It need to establishing appropriate organizational points of contact needed to carry out the assessments.
The process of preparing for security and privacy control assessments stands out from this publication. Given the complexity in IT systems and environments today. The publication outlines in chapter three the need for collaboration among different entities within the organization in conducting security and privacy control assessments. There is a detailed suggestion of in-depth collaboration and involvement of all personnel from the various units involved in information handling at any given level.
The organization and all assessors need to go through a thorough preparation before conducting a security control assessment and privacy control assessment. There is a recommended set of guidelines that must be adhered to as well.
Thanks Humbert for summarizing the major roles and responsibilities involved in the control assessment process. Like you it was interesting to me how detailed the publication was even in suggesting where collaboration on the assessment should occur. I focused on common versus system specific control classes. I can see where collaboration among the parties who support information or information systems along with senior officials at the agency would allow for a more cohesive set of common and system specific controls and ensure adequate understanding of the controls and their effectiveness.
Hi, Humbert. I like you mentioned that the need for collaboration among different entities within the organization in conducting security and privacy control assessments. For example, only other departments, such as the operation department, request for help, but not tell the IT department what they need to solve the problem. It is not effective and wasting time in doing the wrong things. If he or she can provide more details of the problem, it can help both of them saving time.
This publication goes over guidelines for building a security assessment plan. In essence, security assessment is an information-gathering activity, not a security activity. NIST 800-53A is meant to be a starting point in the process of defining procedures for assessing the security and privacy controls in information systems. Security assessments or necessary to determine how effective the current security controls in place are. These are generally broken up into two different assessments, one for privacy and another for security. Security assessments would include controls assigned to devices such as firewalls, proxy servers, SIEM, and server patching. Privacy assessments may include reviewing the controls that oversee how information is automatically logged and/or not explicitly consented by a user, whether the company website shares information with third parties, or how the organization verifies the identity of the person/parties accessing the data.
Hi Anthony,
I think it’s great you touched on how imperative it is for this document to lay out specific privacy assessments. More and more organizations are sharing information without our consent, or we give consent inadvertently when we hit “I Agree” on the terms and conditions on a site in order to use their service.
This publication assists in assessing and auditing the security and privacy controls for Federal Information Systems and information systems. Security assessments provide guidance on how to assess a system’s security controls and evaluates how effective the controls are protecting the system from potential threats. Additionally, a security assessment can help identify any vulnerabilities within the system and the business process it supports. If there are vulnerabilities, the assessment can determine next steps on remediation steps, how to prevent future attacks, and low the risk for the system. Privacy assessments help an organization identify potential impacts in the collection and usage of data from new projects and other initiatives. In order to complete both assessments accurately, there needs to be support from the responsible line of businesses and technology.
I think its interesting when you touched on potential impacts in the collection and usage of data from new projects. This is a time where two organizations are first joining together meaning that the security controls may not have been implemented as of yet or were possibly done incorrectly which would leave a small gap before they were fixed for attackers or even inside employees to take advantage of it.
This document talks about the security and privacy assessments which can be carried out at various stages in the SDLC life cycle to ensure the controls implemented are effective. Building an effective assurance case involves compiling evidence from various activities during SDLC life cycle to ensure the controls are effective and operating as intended. The document provides an example Figure 1 highlighting the effectiveness of security control CP-9 information system backup. It highlights the assessment objective and if it protects the confidentiality, integrity, and availability of backup information at storage locations, potential assessment methods and objects. Section 3.2 goes over the steps to develop security and privacy assessment plans. The steps include of determining the security and privacy controls enhancements, select appropriate assessment procedures, tailor the selected assessment procedures, develop additional assessment procedures, optimize assessment procedures, and finalize assessment plans. The results of this assessment will then influence control implementations, the content of security plans and privacy plans.
Organizations understand how to develop an organization-wide strategy that can help them to conduct a cost-effective security and privacy control assessment. This strategy needs to be applicable to both the risk management framework and the organizational information systems, so the organizations can identify the risk categories and select the appropriate controls to mitigate the risk to an acceptable level. During the process, the organizations determine the threats and vulnerabilities to develop the assessment; have the capability to review the results of the assessment to make decisions that can mitigate the risk; and are able to provide an overall review of weaknesses and deficiencies within the information system. When having more specific assessment procedures, the organizations can have a cost-effective assessment. In doing so, the organization’s respective authorizing officials need to have a clear responsibility, so they can implement the controls early and facilitate a more global strategy to complete the risk assessment.
The reading is focused on the control assessment process after the security controls have been selected. The assessment process looks to ensure the security controls are aligned to the correct level of controls, common or system specific as well as whether the control is actually satisfying the security objective outlined as part of the control selection. Interesting portion of the reading was using security and privacy capabilities to evaluate controls. This lens allows organizations to root cause analyze particular control failures against all the controls that apply to a specific capability and that a single capability usually has a suite of controls for that process. Thus the determination of control effectiveness for the control assessment is based on all the controls for a capability and not a single control. This really allows the organization to focus on the overall security objective rather than a single control.
The assessment procedures stood out to me from this reading. It consists of objectives, with each objective containing a set of methods and objects. Assessment objects identify the specific items in question and includes specifications, mechanisms, activities and individuals. The assessment methods include examining, interviewing and testing. These are used to go through the objects and help the team figure out what needs to be valued more critically as well as put everything into view so that the organization can be viewed as broken down as possible. This helps because rather than saying an issue arose from this area, they can pinpoint an exact location or criteria within that area rather than keeping things broad.
Information security is described as one of the many required operational capabilities for the information system to support the organizational mission/business processes. It’s often put on the backburner as a luxury and not a necessity but as the imminent cyber threats continuously grow, organizations need to understand their security environment to conduct business safely. Some baselines for achieving adequate information security for the organization, their mission/processes, and for their information systems are:
– Have clear, specific, well-defined security requirements.
-Have well-designed and well-built information technology p[rocuts based on security best practice and state of the art hardware designs
– Sound system/security engineering principles that are used to maintain and integrate the information technology products used into the organization’s information systems
– Having continuous monitoring controls to ensure the effectiveness of the security controls and to upkeep for any changes to the system, while still maintaining compliance with defines policies/standards,
-Creating a well-defined information security plan and system development life cycle
These are just the bare minimum needed to effectively ensure information security is used to protect the company’s system. There will be a need for custom tailoring as well to ensure all areas of scope in the security environment are covered.
With the continuous development of cloud computing, Internet of Things, big data and other technologies, the collection, sorting, analysis and prediction methods of user data in information system services are constantly mature. All kinds of directional services based on location tracking and behavior preference record provide convenience for People’s Daily life, but at the same time, more and more people are concerned about privacy. Data, as the core value and important asset of modern business and individuals, is reshaping every aspect of human life. In the era of digital economy, the importance of data as a factor of production is increasingly prominent. With the frequent leakage of data, data privacy security has become an urgent problem. The existing privacy protection mainly starts from two aspects: privacy protection, privacy measurement and evaluation in the process of information processing. In fact, data privacy is the first problem to be solved when entering the digital society.
This document provides a set of procedures for evaluating security and privacy controls adopted within federal information systems and organizations. The assessment procedures performed at all stages of the system development life cycle are consistent with the security and privacy controls in NIST special publication 800-53, 4th Edition. These procedures are customizable and can be easily customized to provide the necessary flexibility for the organization to conduct security control assessment and privacy control assessment to support the organization’s risk management process and be consistent with the organization’s prescribed risk tolerance. Information on establishing effective security and privacy assessment plans, and guidance on analyzing assessment results.
This document works in conjunction with SP 800-53r4. While the aforementioned publication provides the controls to choose from, this supporting document enables IS professional to asses the security and effective of said controls. The goal of this document is to give insight into how to asses if the control was implemented correctly, operating as. It was intended and if the control is “producing the right outcome with respect to meeting the security and privacy requirements for the system and organization.”
I found this publication particularly interesting as it gives a better understanding of each control and how it should be expected to function based on the need of the company. Understanding the implementation, effectiveness and basic expectation of the control is imperative as it could help eliminate a control altogether or help select a better control that fits the need.
One of the important takeaways from this document “Assessing Security and Privacy Controls for Federal Info and Info Sys” is security control assessment. The document states that there are two types of security assessment:
Micro perspective: refers to the analysis and evaluation of the inherent or potential hazards and their severity in the system with a specific function.
Macro perspective: this refers to the use of system engineering and its principles to evaluate and analyze and predict the possible hazards and possible consequences of the proposed
Hi, Prince, I agree your point. I think the the most important thing in this document is these procedures are customizable and can be easily customized to provide the necessary flexibility for the organization to conduct security control assessment and privacy control assessment to support the organization’s risk management process.