Topics: 

PS-08-029.02 Security Controls Review and Assessments

Issue Date: 3/20/2008

Effective Date: 3/20/2008

Reviewed Date: 12/01/2023

PURPOSE

Security controls reviews and assessments are important activities in the risk management process and an agency’s information security program.   Comprehensive security assessments reveal the extent to which controls are implemented correctly, operating as intended and meeting the required security levels as well as identify areas requiring supplemental controls.   Assessments are intended to provide management with complete and accurate information regarding the security status of the information systems for which they are responsible enabling them to make sound risk-based decisions regarding the operations of the information system.

SCOPE and AUTHORITY

O.C.G.A 50-25-4(a)(10) – State Government, Georgia Technology, General Powers

O.C.G.A 50-25-4(a)(21) - State Government, Georgia Technology, General Powers

PM-04-001 – Information Technology Policies, Standards and Guidelines

PS-08-005 – Enterprise Information Security Charter

POLICY

Agencies shall periodically review and continuously monitor the management, operational and technical security controls for all information systems to assess their effectiveness to determine the extent to which they are operating as intended and comply with federal, state, enterprise and agency security policies, standards and requirements.

RELATED ENTERPRISE POLICIES, STANDARDS, GUIDELINES

Independent Security Assessments (SS-08-042)

Information Security - Risk Management (PS-08-031)

Risk Management Framework (SS-08-041)

REFERENCES

NIST SP 800-12 An Introduction to Information Security (nist.gov)

NIST SP 800-53A Guide for Assessing Security Controls

Related Files