CA-02-727 Security Assessments

Security Assessments

Security Assessments
Security Assessment and Authorization
Security Assessment and Authorization / Technology Risk Assessments
August 24, 2016

The Center for Internet Security (CIS) Benchmarks Level I standards shall be the baseline set of security controls for all Agency-owned information resources. The chief information security officer shall prescribe security control enhancements when necessary to adequately protect information resources with increased risk. The chief information security officer shall conduct routine security assessments of all Agency-owned mission-critical information resources at least annually to ensure compliance with the appropriate security controls prescribed for the resource, and report to the information resource owner any areas of deficiency that require remediation.

Independent reviews of information security are not regularly performed to ensure the continuing suitability, adequacy, and effectiveness of the organization's information security program.
The organization: a. Develops a security assessment plan that describes the scope of the assessment including: 1. Security controls and control enhancements under assessment; 2. Assessment procedures to be used to determine security control effectiveness; and 3. Assessment environment, assessment team, and assessment roles and responsibilities; b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; c. Produces a security assessment report that documents the results of the assessment; and d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
The organization has a defined information security program that includes: a. Developing a plan and executing periodic assessments of security control effectiveness; b. Identifying objective and qualified assessors; and c. Reporting results of such assessment(s) to the appropriate stakeholders.
A review of the state organization’s information security program for compliance with these standards will be performed at least annually, based on business risk management decisions, by individual(s) independent of the information security program and designated by the state organization head or his or her designated representative(s).
Obtain security assessment policy; procedures addressing security assessments; security plan; security assessment plan; security assessment report; assessment evidence; security authorization package (including security plan, security assessment report, plan of action and milestones, authorization statement); other relevant documents or records and ascertain if : (I)the organization defines in the security plan, explicitly or by reference, the frequency of security control assessments and the frequency is at least annually (ii)the organization conducts an assessment of the security controls in the information system at an organization-defined frequency. (iii)the organization employs an independent assessor or assessment team to conduct an assessment of the security controls in the information system.