Independent Security Assessments

SS-08-042 Independent Security Assessments

Issue Date:  3/31/2005

Revision Effective Date:  3/31/2008

Revision Date: 10/01/2019

PURPOSE

Security assessments are an important activity in the risk management process and an agency’s information security program.   Comprehensive security assessments reveal the extent to which controls are implemented correctly, operating as intended and meeting the required security levels.   Assessments are intended to provide management with complete and accurate information regarding the security status of the information systems for which they are responsible; enabling them to make sound risk-based decisions regarding the operations of the information system.

This standard establishes the requirements for conducting valid assessments of state information systems.

STANDARD

Information systems categorized as HIGH shall be assessed annually by an independent, impartial and qualified third-party.

Agency security programs shall be re-evaluated every three (3) years by an independent, impartial and qualified third-party.

Assessments shall validate and evaluate the effectiveness of management, operations and technical controls detailed in system security plans and compliance with federal, state and agency regulation, policy and standards.

At an agency’s request, GTA OIS shall offer a cost recovery based contract service of pre-qualified security assessment vendors and provide agency support through the Security Assessment and Specialized Services Contract (SASSC) program or agencies may choose to solicit for these services independent of the SASSC program. 

Security controls established by NIST SP 800-53/53A supplemented by enterprise security policies and standards shall guide assessment methodologies. All security program evaluations shall use the Center for Internet Security (CIS) 20 Critical Controls as a guide.

Assessment results and recommendations shall provide Information Owners with the information needed to understand the risks and implications for operating an information system and to assist them in making decisions to mitigate these risks. 

The Open Records Act of Georgia has an exception for disclosure of security plans and assessment information (see O.C.G.A. § 50-18-72(15)(A).  However, agencies shall provide a copy of the assessment report and resulting planned mitigation steps to the State CISO. In addition, access shall be provided to support legal, state, or federal actions when required; otherwise, access is at the discretion of the agency.

ENTERPRISE RELATED POLICIES, STANDARDS, GUIDELINES

Security Controls Review and Assessment (PS-08-029)

Risk Management Framework (SS-08-041)

REFERENCES

NIST SP 800-12 (chapter 11) Introduction to Computer Security NIST Handbook

FIPS 200 Minimum Security Requirements for Information Systems

NIST SP 800-53 Security Controls for Information Systems

NIST SP 800-53A Guide for Assessing Security Controls

NIST 800-26 Security Self-Assessment Guide for IT Systems

NIST SP 800-37 Guidelines for Security Certification and Accreditation

CIS 20 Critical Controls