03.12.01: Security Assessment

Discussion:

By assessing the security requirements, organizations determine whether the necessary safeguards and countermeasures are implemented correctly, operating as intended, and producing the desired outcome. Security assessments identify weaknesses in the system and provide the essential information needed to make risk-based decisions. Security assessment reports document assessment results in sufficient detail as deemed necessary by the organization to determine the accuracy and completeness of the reports. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.

Assessment Methods and Objectives

Examine [SELECT FROM: security assessment and monitoring policy and procedures; procedures for security assessment planning; security assessment plan; security assessment report; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with security assessment responsibilities; personnel with information security responsibilities]

Test [SELECT FROM: mechanisms for supporting security assessments, processes for security assessment plan development, or security assessment reporting]