Security Controls Review and Assessment (PS-08-029.02)
Security Controls Review and Assessments
Topics: assessment, security review
PS-08-029.02 Security Controls Review and Assessments
Issue Date: 3/20/2008
Effective Date: 3/20/2008
Revised Date: 12/1/2020
Security controls reviews and assessments are important activities in the risk management process and an agency’s information security program. Comprehensive security assessments reveal the extent to which controls are implemented correctly, operating as intended and meeting the required security levels as well as identify areas requiring supplemental controls. Assessments are intended to provide management with complete and accurate information regarding the security status of the information systems for which they are responsible enabling them to make sound risk-based decisions regarding the operations of the information system.
Agencies shall periodically review and continuously monitor the management, operational and technical security controls for all information systems to assess their effectiveness to determine the extent to which they are operating as intended and comply with federal, state, enterprise and agency security policies, standards and requirements.
RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES
NIST SP 800-12 Introduction to Computer Security NIST Handbook (Assessment, Authorization, and Monitoring)
NIST SP 800-53A Rev. 4 Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans" (https://csrc.nist.gov/publications/detail/sp/800-53a/rev-4/final)