To ensure that your security and privacy controls are working effectively, it’s important to perform assessments. Such assessments are more than checking off points on a list—especially for federal organizations where information systems often contain extremely confidential national data.
The National Institute of Standards and Technology (NIST) created a formal documentation of procedures for such organizations to gauge the effectiveness of government systems’ data privacy and security controls. The publication, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations,” can be found in our IT Downloads area.
According to NIST, the PDF presents “guidelines for building effective security assessment plans and privacy assessment plans,” along with procedures to help federal IT staff to ensure that the controls they have in place are sufficient to guard government information systems. Although created to ensure tight control of government information systems, other enterprises can use the provided guidelines to:
- Enable reproducible, logical appraisals of in-use security and data privacy controls.
- Provide education about risks to all areas of the organization, from operations to individuals and third-party groups.
- Ensure such assessments are cost-effective and within budgetary constraints.
- Present IT managers with complete, correct information about risks within the information systems to allow decisions to be made to strengthen or correct any issues that are discovered.
The document explains that to prepare for such an assessment, the entire organization must work together:
Conducting security control assessments and privacy control assessments in today’s complex environment of sophisticated information technology infrastructures and high-visibility, mission-critical applications can be difficult, challenging, and resource-intensive. Security and privacy control assessments may be conducted by different organizational entities with distinct oversight responsibilities. However, success requires the cooperation and collaboration among all parties having a vested interest in the organization’s information security or privacy posture, including information system owners, common control providers, authorizing officials, chief information officers, senior information security officers, senior agency officials for privacy/chief privacy officers, chief executive officers/heads of agencies, security and privacy staffs, Inspectors General, and OMB. Establishing an appropriate set of expectations before, during, and after an assessment is paramount to achieving an acceptable outcome—that is, producing information necessary to help the authorizing official make a credible, risk-based decision on whether to place the information system into operation or continue its operation.
The document includes chapters on the purpose and audience for the assessments; the basic strategies behind conducting such an appraisal; and the overall process of preparing, performing and analyzing the results of the tests. Further appendices include a glossary of terms, acronyms and tables to assist in setting up procedures and reports.
Though the initial documentation was created in accordance with the responsibilities of the Federal Information Security Management Act (FISMA), the procedures can also be applied to many enterprise-level information systems.