Uploads Contact
/
Login Upload
Security Assessments FITSP-A Security Assessments FITSP-A

Security Assessments FITSP-A - PowerPoint Presentation

myesha-ticknor
myesha-ticknor . @myesha-ticknor
Follow
397 views
Uploaded On 2018-09-22
About Share Download

Security Assessments FITSP-A - PPT Presentation

Module 5 Security control assessments are not about checklists simple passfail results or generating paperwork to pass inspections or audits rather security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting the ID: 675826

assessment security control assessments security assessment assessments control controls information conducting system step risk section results procedures report systems developing assurance case

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Security Assessments FITSP-A" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Slide1

Security Assessments

FITSP-AModule 5Slide2
Slide3

Security control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits, rather, security controls assessments are the principal vehicle used to verify that the implementers and operators of information systems are meeting their stated security goals and objectives.

Joint Task Force Transformation Initiative

From SP800-53a

LeadershipSlide4

FITSP-A Exam Module Objectives

Risk AssessmentEnsure periodic assessment of risk to organizationSecurity Assessments and Authorization

Direct processes that facilitate the periodic assessment of the security controls in organizational information systems to determine if the controls are effective in their applicationSlide5

Security Assessment Module Overview

Section A: Assessment FoundationRMF Tasks for Step 4Assessments Within the SDLC

Security Content Automation Protocol

Strategy for Conducting Security Control Assessments

Building an Effective Assurance Case

Assessment Procedures

Section B: Planning for Assessments

Preparing for Security Control Assessments

Developing Security Assessment Plans

Conducting and Reporting

Conducting Security Control Assessments

Analyzing Security Assessment Report ResultsSlide6

Assessment Foundation

Section ASlide7

RMF Step 4 – Assess Security Controls

Assessment PreparationSecurity Control AssessmentSecurity Assessment Report

Remediation ActionsSlide8
Slide9

Assessments Within the SDLC

InitiationDevelopment/Acquisition

Design and Code Reviews

Application Scanning

Regression Testing

Implementation

Operations And Maintenance

Security Assessments Conducted by

information system owners, common control providers, information system security officers, independent assessors, auditors, and Inspectors General

Disposition (Disposal)Slide10
Slide11

Security Content Automation Protocol

SCAP Compliments Security AssessmentsAutomates Monitoring & Reporting VulnerabilitiesConfigurations

Open Checklist Interactive Language

Partially Automated Monitoring

Express Determination Statements in a Format Compatible with SCAPSlide12

Strategy for Conducting Security Control Assessments

Maximize Use of Common ControlsShare Assessment ResultsDevelop Organization-wide Procedures

Provide Organization-wide Tools, Template, TechniquesSlide13
Slide14

Building an Effective Assurance Case

Compiling and Presenting EvidenceBasis for Determining Effectiveness of ControlsProduct Assessments

Systems Assessment

Risk DeterminationSlide15
Slide16

TrustworthinessSlide17

Assessment Procedures

Assessment ObjectivesDetermination StatementsAssessment MethodsAssessment Objects

Assessment Findings Slide18

Objective Determination StatementSlide19

Control StatementSlide20

Subsequent ObjectivesSlide21

Assessment Methods

ExamineInterviewTestAttributes

Depth (Basic, Focused, Comprehensive)

Coverage (Basic, Focused, Comprehensive)

Determined by Assurance Requirements

Defined by OrganizationSlide22

Assessment Objects

Specifications (Artifacts)Mechanisms (Components of an IS)Activities (Actions)Individuals Slide23

Benefit of Repeatable & Documented Methods

Provide Consistency and Structure Minimize Testing RisksExpedite Transition Of New Staff

Address Resource Constraints

Reuse Resources

Decrease Time Required

Cost ReductionSlide24
Slide25

Knowledge Check

What task must the assessor complete before conducting a security assessment?After?What type of software testing that seeks to uncover new software bugs in existing functional and non-functional areas of a system after changes have been made to them?

What is a term used to describe a body of evidence, organized into an argument, demonstrating that some claim about an information system is assured?

An assessment procedure consists of a set of assessment ___________, each with an associated set of potential assessment ___________and assessment ___________. An assessment objective includes a set of ___________statements related to the security control under assessment. Slide26

Planning for Assessments

Section B Slide27

Preparing for the Process of

Security Control AssessmentsUnderstanding Organization’s Operations Understanding Information System Structure

Understanding of Security Controls being Assessed

Identifying Organizational Entities Responsible for Development and Implementation of Common Controls

Identifying Points of Contact

Obtaining Artifacts

Obtaining Previous Assessment Results

Establishing Rules of Engagement

Developing a Security Assessment PlanSlide28
Slide29

Gathering Background Information

Security PoliciesImplementing ProceduresResponsible Entities Materials Associated with Implementation and Operation of Security Controls

Objects to be AssessedSlide30

Selecting Security Control Assessors

Technical ExpertiseSpecific HardwareSoftware

Firmware

Level of Independence

Impartiality

Determined by Authorizing Official

Based on Categorization

Independent Security Control Assessment Services

Contracted to Outside Entity; or

Obtained within OrganizationSlide31

Developing Security Assessment Plans

Determine Which Security Controls/Control Enhancements Select Appropriate Assessment ProceduresTailor Assessment ProceduresAddress Controls that are Not Sufficiently Covered

Optimize Assessment Procedures

Obtain Approvals to Execute the Plan Slide32

Conducting & Reporting

Section CSlide33

Conducting Security Control Assessments

Execution of Security Assessment PlanOutput Security Assessment ReportMay Develop Assessment SummaryAssessment Findings

Satisfied (S) = Fully Acceptable Result

Other than Satisfied (O) = Potential Anomalies Slide34
Slide35

Analyzing Security Assessment Report Results

Review Weaknesses and Deficiencies in Security ControlsPrioritize correcting the deficiencies based onCritical Information Systems

High Risk Deficiencies

Key Documents Updates

System Security Plan with Updated Risk Assessment

Security Assessment Report

Plan of Action and MilestonesSlide36
Slide37

Security Assessments

Key Concepts & VocabularyAssessments Within the SDLCStrategy for Conducting Security Control Assessments

Building an Effective Assurance Case

Assessment Procedures

Preparing for Security Control Assessments

Developing Security Assessment Plans

Conducting Security Control Assessments

Analyzing Security Assessment Report ResultsSlide38
Slide39

Lab Activity 4 –

Building an Assessment Case

Step 1 – Categorize Information System

Step 6 –

Monitor Controls

Step 5 - Authorize Information System

Step 4 –

Assess Controls

Step 3 – Implement Controls

Step 2 –

Select ControlsSlide40
Slide41
Slide42

Questions?

Next Module: Authorization

Related Contents


I n t e g r i t y - S e r v i
I n t e g r i t y - S e r v i PowerPoint Presentation
362 views
Jon Allen, Baylor University and Nick Lewis, Internet2
Jon Allen, Baylor University and Nick Lewis, Internet2 PowerPoint Presentation
343 views
Panel 4 Testing Integrity Practices and Procedures for Online and Computer-based Assessments
Panel 4 Testing Integrity Practices and Procedures for Online and Computer-based Assessments PowerPoint Presentation
399 views
Defense Security Service
Defense Security Service PowerPoint Presentation
355 views
Defense Security Service
Defense Security Service PowerPoint Presentation
463 views
HN Administration and Information Technology
HN Administration and Information Technology PowerPoint Presentation
368 views
Security Services
Security Services PowerPoint Presentation
385 views
Security Vulnerability Assessments
Security Vulnerability Assessments PowerPoint Presentation
461 views
2018 IDOI CLE - Cybersecurity
2018 IDOI CLE - Cybersecurity PowerPoint Presentation
346 views
The SAT ® Suite of Assessments:
The SAT ® Suite of Assessments: PowerPoint Presentation
346 views
EFFECTIVE ASSESSMENTS
EFFECTIVE ASSESSMENTS PowerPoint Presentation
370 views
EFFECTIVE ASSESSMENTS
EFFECTIVE ASSESSMENTS PowerPoint Presentation
385 views
Next Show more