Independent Security Assessments (SS-08-042)
SS-08-042 Independent Security Assessments
Issue Date: 3/31/2005
Revision Effective Date: 3/31/2008
Revision Date: 10/01/2019
Security assessments are an important activity in the risk management process and an agency’s information security program. Comprehensive security assessments reveal the extent to which controls are implemented correctly, operating as intended and meeting the required security levels. Assessments are intended to provide management with complete and accurate information regarding the security status of the information systems for which they are responsible; enabling them to make sound risk-based decisions regarding the operations of the information system.
This standard establishes the requirements for conducting valid assessments of state information systems.
Information systems categorized as HIGH shall be assessed annually by an independent, impartial and qualified third-party.
Agency security programs shall be re-evaluated every three (3) years by an independent, impartial and qualified third-party.
Assessments shall validate and evaluate the effectiveness of management, operations and technical controls detailed in system security plans and compliance with federal, state and agency regulation, policy and standards.
At an agency’s request, GTA OIS shall offer a cost recovery based contract service of pre-qualified security assessment vendors and provide agency support through the Security Assessment and Specialized Services Contract (SASSC) program or agencies may choose to solicit for these services independent of the SASSC program.
Security controls established by NIST SP 800-53/53A supplemented by enterprise security policies and standards shall guide assessment methodologies. All security program evaluations shall use the Center for Internet Security (CIS) 20 Critical Controls as a guide.
Assessment results and recommendations shall provide Information Owners with the information needed to understand the risks and implications for operating an information system and to assist them in making decisions to mitigate these risks.
The Open Records Act of Georgia has an exception for disclosure of security plans and assessment information (see O.C.G.A. § 50-18-72(15)(A). However, agencies shall provide a copy of the assessment report and resulting planned mitigation steps to the State CISO. In addition, access shall be provided to support legal, state, or federal actions when required; otherwise, access is at the discretion of the agency.
ENTERPRISE RELATED POLICIES, STANDARDS, GUIDELINES
NIST 800-12 Rev. 1 (Chapter 10) Introduction to Computer Security NIST Handbook
FIPS 200 Minimum Security Requirements for Information Systems
NIST SP 800-53 Security Controls for Information Systems
NIST SP 800-53A Rev. 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final
NIST SP 800-37 Rev. 2 Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
CIS 20 Critical Controls https://www.cisecurity.org/controls/cis-controls-list/