Editor's note
Editor's note
Editor's note
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Resource<br />
• http://www.iso.org/iso/home.html [1]<br />
• http://www.iec.ch/ [2]<br />
• http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=42103 [3]<br />
• https://www.isaca.org/Pages/default.aspx [4]<br />
• http://www.isaca.org/Knowledge-Center/cobit/Pages/Downloads.aspx [5]<br />
• http://csrc.nist.gov/ [6]<br />
• http://csrc.nist.gov/publications/ps/ps199/FIPS-PUB-199-nal.pdf [7]<br />
• http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-nal_updated-errata_05-01-2010.pdf [8]<br />
• http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1-nal.pdf [9]<br />
• http://csrc.nist.gov/publications/nistpubs/800-70-rev2/SP800-70-rev2.pdf [10]<br />
• http://web.nvd.nist.gov/view/ncp/repository [11]<br />
• http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-nal.pdf [12]<br />
The actual assessment begins with a set of<br />
determination statements that related to the security<br />
controls implemented from the catalog in NIST SP800-<br />
53. An individual control listed in NIST SP800-53 may<br />
have multiple assessment objectives listed for the<br />
control in NIST SP800-53A.<br />
For example, NIST SP800-53 provides control AC-<br />
1 Access Control Policies and Procedures. NIST<br />
SP800-53A has two control objectives listed: AC-1.1<br />
and AC-1.2. NIST SP800-53A assessment objective<br />
AC-1.1 determines if the policy and procedures exist,<br />
contain certain key items, distributes the policy,<br />
develops procedures, and distributes the procedures<br />
to the appropriate staff. Control objective AC-1.2<br />
determines if the policies and procedures have a<br />
defined update schedule and the organization actually<br />
updates the policies and procedures according to the<br />
schedule.<br />
The output of the security control assessment is the<br />
security assessment report. The security assessment<br />
report details the items tested and documents the results<br />
to provide evidence for each finding. For each item a<br />
rating of either satisfied (S) or other than satisfied (O).<br />
The organization may wish to have a summary report<br />
that provides the highlights of the report, a synopsis of<br />
key findings, and recommendations for addressing the<br />
deficiencies.<br />
The security assessment report will need to be<br />
reviewed by senior management. Management may<br />
determine that certain items present a lower or higher<br />
risk than indicated in the controls assessments and<br />
risk assessments based on the organization mission<br />
and the operational environment. Items that should<br />
be addressed are used to create a plan of actions<br />
and milestones (POAM) that management can use to<br />
direct remediation efforts. After management review,<br />
the system security plan and risk assessment should<br />
be updated accordingly. It should be <strong>note</strong>d that some<br />
risk will remain after the implementation of controls.<br />
This residual risk may be accepted by management<br />
starterkit 02/2011(2)<br />
or transferred to others through actions such as<br />
obtaining insurance policies.<br />
The risk management cycle is a continuous process.<br />
After these steps have been completed, the results<br />
should be used as a starting point for a new risk<br />
management cycle. The risk management framework<br />
can be adapted to the individual requirements of the<br />
organization. Since technologies and threats evolve<br />
over time, the risk management cycle should be<br />
repeated at regular intervals. The process can be used<br />
for new systems under development to ensure proper<br />
control selection or it can be applied to existing system<br />
to perform a gap analysis to evaluate current controls<br />
with the desired state.<br />
BART HOPPER<br />
Bart Hopper has earned numerous certications during<br />
his 18 years as an information technology professional.<br />
His certications cover the areas of information security,<br />
Windows administration, Unix administration, and database<br />
administration. He lives in Nashville, Tennessee.<br />
Page 39 http://pentestmag.com