Description:  

Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans.  Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.  Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle.  [SP 800-53] provides guidance on security and privacy controls for systems and organizations. [SP 800-53A] provides guidance on developing security assessment plans and conducting assessments. 


Priority: Medium


Category: Internal Audit 


Services Associated with AWS:   

  • AWS Config, AWS CloudTrail, AWS Security Hub
  • AWS Inspector, AWS CloudWatch, AWS Security Hub 


Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how a Risk Management Program (RMP) is implemented
  • Administrative: supporting documentation to demonstrate control assessments are performed
  • Administrative: supporting documentation of a prioritized risk register 
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing control assessment roles 


Possible Technology Considerations : 

NA


What needs to be answered :  


Has a periodic security assessment been conducted to ensure that security controls are implemented correctly and meet the security requirements? Does the assessment scope include all information systems and networks, including all security requirements and procedures necessary to meet the compliance requirements of the environment? Does the assessment include, but is not limited to, vulnerability scanning, penetration testing, security control testing and reviews, configuration testing and reviews, log reviews, and talking with company employees? Is the assessment conducted by company employees? Is the assessment conducted by an independent security auditor/consultant? Is a final written assessment report and findings provided to company management after the assessment? 

  • Periodic Assessment of Security Controls
    Description: This check ensures that security controls in organizational systems are assessed periodically to verify their effectiveness. The process includes checking if safeguards or countermeasures are in place, operating as intended, and achieving the desired outcome with respect to meeting security requirements.
  • Timeliness and Relevance of Security Assessment Results
    Description: This check validates that security assessment results are current, relevant for determining the effectiveness of security controls, and obtained with an appropriate level of assessor independence. The goal is to ensure that information security is built into the system, weaknesses are identified early, and risk-based decisions are informed by accurate data.
  • Utilization of Security Assessment Reports
    Description: This check verifies that detailed security assessment reports are being generated and utilized. These reports should document the assessment results in sufficient detail for organizations to ascertain the accuracy, completeness, and effectiveness of their security controls.
  • Conducting Vulnerability Scanning and System Monitoring
    Description: This check confirms that other types of assessment activities, such as vulnerability scanning and system monitoring, are conducted to maintain the security posture of systems throughout their lifecycle
     


More Details:   

Regular assessments of existing security performed and policies/training updated based on assessment results.