Level 2

Description:  

Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans.  Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted.  Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle.  [SP 800-53] provides guidance on security and privacy controls for systems and organizations. [SP 800-53A] provides guidance on developing security assessment plans and conducting assessments. 


Priority: Medium


Domain:  SECURITY ASSESSMENT (CA)


Category: Internal Audit 


Services Associated with AWS:   

  • AWS Config, AWS CloudTrail, AWS Security Hub
  • AWS Inspector, AWS CloudWatch, AWS Security Hub 

Services Associated with Azure:

  • Azure Security Center
  • Azure Policy 
  • Azure Sentinel 

Objective Evidence:  

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how a Risk Management Program (RMP) is implemented
  • Administrative: supporting documentation to demonstrate control assessments are performed
  • Administrative: supporting documentation of a prioritized risk register 
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing control assessment roles 


Possible Technology Considerations : 

NA


What needs to be answered :  


Has a periodic security assessment been conducted to ensure that security controls are implemented correctly and meet the security requirements? Does the assessment scope include all information systems and networks, including all security requirements and procedures necessary to meet the compliance requirements of the environment? Does the assessment include, but is not limited to, vulnerability scanning, penetration testing, security control testing and reviews, configuration testing and reviews, log reviews, and talking with company employees? Is the assessment conducted by company employees? Is the assessment conducted by an independent security auditor/consultant? Is a final written assessment report and findings provided to company management after the assessment? 

Checks for AWS 

  • Periodic Assessment of Security Controls
    Description: This check ensures that security controls in organizational systems are assessed periodically to verify their effectiveness. The process includes checking if safeguards or countermeasures are in place, operating as intended, and achieving the desired outcome with respect to meeting security requirements.
  • Timeliness and Relevance of Security Assessment Results
    Description: This check validates that security assessment results are current, relevant for determining the effectiveness of security controls, and obtained with an appropriate level of assessor independence. The goal is to ensure that information security is built into the system, weaknesses are identified early, and risk-based decisions are informed by accurate data.
  • Utilization of Security Assessment Reports
    Description: This check verifies that detailed security assessment reports are being generated and utilized. These reports should document the assessment results in sufficient detail for organizations to ascertain the accuracy, completeness, and effectiveness of their security controls.
  • Conducting Vulnerability Scanning and System Monitoring
    Description: This check confirms that other types of assessment activities, such as vulnerability scanning and system monitoring, are conducted to maintain the security posture of systems throughout their lifecycle
     


Checks for Azure

  • Require Vulnerability Assessment on Virtual Machines:
    Description: This policy ensures that all Azure virtual machines have the vulnerability assessment extension installed and configured. The extension helps in detecting and remediating potential security vulnerabilities on the VMs.
  • Audit Virtual Machines without Endpoint Protection:
    Description: This policy audits virtual machines that do not have endpoint protection (antivirus) installed and running. It helps ensure that VMs are protected against known malware and viruses.
  • Audit Unencrypted Storage Accounts:
    Description: This policy audits Azure storage accounts that do not have encryption enabled. Data at rest encryption adds an extra layer of security to protect sensitive information stored in the storage accounts.
  • Require Just-In-Time VM Access:
    Description: This policy mandates that Just-In-Time (JIT) access is enabled for Azure virtual machines. JIT access reduces the attack surface by allowing temporary and controlled access to VMs for a limited period when needed.
  • Audit Publicly Accessible Storage Accounts:
    Description: This policy audits Azure storage accounts that are publicly accessible. Publicly accessible storage accounts can be a security risk if sensitive data is unintentionally exposed.
  • Audit Network Security Groups (NSGs) with Inbound Internet Access:
    Description: This policy audits NSGs that allow inbound internet traffic. Limiting internet access to necessary ports and services helps reduce the risk of unauthorized access.
  • Require Multi-Factor Authentication (MFA) for Service Principals:
    Description: This policy ensures that service principals (used by applications and services) are configured to use multi-factor authentication. MFA adds an extra layer of security to prevent unauthorized access.

 

More Details:   

Regular assessments of existing security performed and policies/training updated based on assessment results.