Welcome back to the D. O D risk management framework. Siris on Mike Redman here, guiding you through ensuring you have the information that you need to successfully implement the deer de risk management framework. We've made a two step number four assess
In this section. We will ensure that you know how to use one or more of the three methods of assessment
to assess your information system. How to prepare or support the preparation off the security assessment documentation and the issues or findings and recommendations that may come out of the assessment activity. If you're studying for the I S C squared cap examination,
this is where you would need to understand the control, assessment and monitoring faces
and the triggers in the new cap process. Within the assess step Step four. We have four based task assessment preparation, security control assessment itself, the security assessment report and any remedial actions.
So this is another core difference between Die Cap and Orin F.
There's an extra step here in the assessment of the security controls you are required to test, examine and interview. This is an expansion on the di cat methodology where there was only examine an interview.
So why go through this process? It's all about finding the gap by doing the three step process test interview examined. The hope is to find the gap. Where should it be? Where do you think it is? And where is it
when constructing their security assessment plant itself,
there are six base operations. One developed the security assessment policy to prioritize and scheduled the assessment. Three select and customized testing techniques of four determined logistics and assessment, and five developed the assessment plan
and six address. Indeed, legal considerations. You confined AIM or expansive explanation. Indeed, this Special publication 801 15.
So the guide for assessors that would be wth e 853 a A. For assessment. It gives control assessors specific guidance on how to perform each risk assessment. The assessment itself must be
consistent, incomparable, repeatable and cost effective. To better understand the full risk to the information system, the hope is by making it, for instance,
comparable and repeatable that aim or complete more reliable and trustworthy outcome or risk assessment is being performed. Walking through base assessment preparation. This is a task owned by the security controls assessor themselves
So what makes a security control assessor
first? What you're looking for is experience. Does Theis Assessor have the required skills and technical expertise for that particular information system and a wealth of the knowledge that is required to be able to assess the particular hardware software
firmware that the information system contains? You want to find independence,
no vested outcome and the success or failure of anyone assessment. Now the assessor can be an individual, or most often it's going to be a group of individuals. They are free from perceived or actual conflicts of interest. They should not be directly involved in any aspect
of that information system.
Assessing the security controls themselves again is a task owned by the Security Control Assessor or the Scott. Each assessment has clear objectives.
For instance, the security control assessment objective should be where the controls implemented, correctly identifying that each control is operating as intended.
And are they producing the desired result with reference to this security objective itself Again, this is where tailoring can be of utmost importance. Yes, you have the right to control in place, but do you have the proper control in place?
Did you put a door in place to separate security zones.
But did you select the correct door for the separation of those owns? So the assessment methodology will include the appropriate evaluation methods from this list document. Review the interview observation and test for it to be a valid assessment.
These are the required components
for that assessment. Again. Document interview,
observe and test Mist lays out these steps in court. Functionality. Examine is the observation and review portion the interview? Well, it's somewhat self explains where I think the test. Observe the process owner performed the specific control
and make sure that you were getting
the desired or expected outcome the attributes that you could be looking for. It can range in depth from a basic assessment all the way to a full and comprehensive assessment coverage, a basic assessment or a comprehensive coverage,
determining by assurance requirements or segmenting if you will defined by the organization.
For instance, not all controls are gonna be applicable to every organization in every situation.
The assessor is working through some very specific tasks to ensure that the proper policies Aaron Place ensure that all previous arm if steps were completed and completed correctly to insure that all common controls are in place and implemented to collect and evaluate system artifacts.
The assessment testing itself can include, for instance, vulnerability scanning or log review. Physical or logical penetration testing
configuration review checklists. It's really up to the assessor what they deem necessary, based on conversation with system owner to properly assess that information system in a given environment or against specific requirements.
That brings us to a section that is wholly unique to the Department of Defense.
The C C I's CC eyes are control correlation identify where they are singular, actionable statements pulled out of the dis a Stig's the C C. I is designed to bridge the gap between the high level policy and the low level implementation.
All CC eyes are to be developed to provide traceability.
It allows organizations too readily demonstrate compliance with multiple information assurance compliance frameworks. So the first criteria is that a C C. I must be discreet. It must represent a single requirement.
For example, if the Stig control indicates the password policy
has to include multiple requirements addressing password minimum and maximum and reuse in lifetime. There should be or will be five individual cc eyes that originate from that single control one C C I for the minimum password length
one C C I for the maximum password length.
One for password reuse, one for password minimum lifetime and one to establish the administrative procedure for lost or compromised passwords. The next criteria is that each cc I must be actionable and measurable.
The C C I. Is there to represent an action that can be taken on the system or against the information
that can be acquired by reviewing or testing or querying the organizational policy. Also, it's there to describe what must be able to be determined by a measurable event, for instance, using the same example with the password.
The minimum password length can be a value that can be measured against the organizational policy or thes system configuration itself.
Here is an overall mapping of how the Stig's overlay and correlate with the 853 bass controls you see that you have the C. C. I sitting right in between so you have the high level 853
the mid level where all your policies and standards in the C. N S s 12 53
and then the control identify IRS themselves correlating to an individual system or technology stick. Some of the tools and methods available to assessors again. Our law reviews and file integrity. Checkers penetration testing both logical and physical.
Overall vulnerability. Scanning,
perhaps social engineering or wireless scanning, as well as network scanning and discovery and prior assessment reports. It is, however, important to note here that we want each assessment to be independent. That also means independent of bias.
Eso access to prior assessment reports
should really be an assessors last option when all others have failed to validate a specific control. Finally, we get to this security assessment report. This is where the issues and findings or documented and recommendations for correcting weaknesses and any inefficiencies found.
This is also where we identify any remedial actions.
Such is to review in the prioritization of findings themselves, the remedial actions, reassessment of risk and so forth. Throughout these steps, you will have the system owner, the common control provider and the assessor themselves. In our next section, we will tackle Step five