Security Review Control and Assessment

Security Controls Review and Assessments

Topics: assessment, security review

PS-08-029.02 Security Controls Review and Assessments

 

Issue Date: 3/20/2008

Effective Date: 3/20/2008

Revised Date: 7/1/2018

 

PURPOSE

Security controls reviews and assessments are important activities in the risk management process and an agency’s information security program.   Comprehensive security assessments reveal the extent to which controls are implemented correctly, operating as intended and meeting the required security levels as well as identify areas requiring supplemental controls.   Assessments are intended to provide management with complete and accurate information regarding the security status of the information systems for which they are responsible enabling them to make sound risk-based decisions regarding the operations of the information system.

 

POLICY

Agencies shall periodically review and continuously monitor the management, operational and technical security controls for all information systems to assess their effectiveness to determine the extent to which they are operating as intended and comply with federal, state, enterprise and agency security policies, standards and requirements.

 

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Independent Security Assessments (SS-08-042)

Information Security - Risk Management (PS-08-031)

Risk Management Framework (SS-08-041)

 

REFERENCES

NIST SP 800-12 (chapters 7 & 9) Introduction to Computer Security NIST Handbook

NIST 800-26 Security Self-Assessment Guide for IT Systems

 

 

Related Files