Assessing the Security Controls in Federal Information Systems and Organizations
Assessing the Security Controls in Federal Information Systems and Organizations
IT Auditing is the monitoring and validation of safeguards put in place to protect information, or controls. Controls relate to different areas of IT systems such as security features in hardware and software, and administrative processes such as written administrative policies and user agreements.
Controls are categorized into families that define the type of control to be complied with and into classes, which include management, operational, and technical.
Assessments Within the System Development Life Cycle
Security assessments can be made at various stages in the system development life cycle to increase the grounds for confidence that the security controls employed within or inherited by an information system are effective in their application. Assessment activities in the initial system development life cycle phases can include design and code reviews, application scanning, and regression testing. Security weaknesses and deficiencies identified early in the system development life cycle can be resolved more quickly and much more cost-effectively before proceeding to subsequent phases in the life cycle. The objective is to identify the information security architecture and security controls up front and to ensure that the system design and testing validate the implementation of these controls. The assessment procedures described in Appendix F of the NIST SP 800-53A can support such technical assessments carried out during the initial stages of the system development life cycle. Security assessments are also routinely conducted by information system owners, common control providers, information system security officers, independent assessors, auditors, and inspectors general during the operations and maintenance phase of the life cycle to ensure that security controls are effective and continue to be effective in the operational environment where the system is deployed. For example, organizations assess all security controls employed within and inherited by the information system during the initial security authorization. After the initial authorization, the organization assesses the security controls (including management, operational, and technical controls) on an ongoing basis. The frequency of such monitoring is based on the continuous monitoring strategy developed by the information system owner or common control provider and approved by the authorizing official.
As previously stated, organizations develop controls based on laws, regulations, best practices, and industry standards. These controls are audited periodically to validate that processes are in place and working. This responsibility is that of the auditor, also referred to as the security control assessor, who will independently validate these controls to ensure compliance and report the findings to a higher authority.
The National Institute of Standards and Technology (NIST) has developed a series of specialized publications that lay out the framework for the implementation, operation, and management of information technology. The relevant controls can be found within the Assessing Security and Privacy Controls in Federal Information Systems and Organizations [PDF].
Instructions
Refer to the Assessment Procedures in Assessing Security and Privacy Controls in Federal Information Systems and Organizations [PDF] and complete the following:
Answer preview to assessing the Security Controls in Federal Information Systems and Organizations
APA
637 words
Get instant access to the full solution from yourhomeworksolutions by clicking the purchase button below