Our previous post was about NIST SP 800-137. In this post, we are going to review NIST SP 800-53A. NIST SP 800-53 is shorthand for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization. NIST SP 800-53 is a set of standards and guidelines to help federal agencies and contractors meet the requirements set by the Federal Information Security Management Act (FISMA). In fact, NIST SP 800-53 deals with the security controls or safeguards for federal information systems and organizations.
NIST SP 800-53 helps to improve the security of your organization’s information systems by providing a fundamental baseline for developing a secure organizational infrastructure. Of course, NIST guidelines themselves recommend that you should assess all your data and rank which is most sensitive in order to further develop your security program.
The title of this article is: Assessing Security and Privacy Controls in Federal Information Systems and Organizations. Revision 4 of this publication published in December 2014.
The PDF file of this document consists of 487 pages and three chapters. These chapters are:
- Chapter 1: Introduction
- Chapter 2: Fundamentals
- Chapter 3: Process
Of course, most of this file (about 440 pages) contains appendices. This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations.
This article is a summary from of the nist.gov website. With the following link:
For more info please refer to nist.gov
The first chapter is the introduction chapter. Information systems are complex assemblages of technology (such as hardware, software, and firmware), processes, and people, working together to provide organizations with the capability to process, store, and transmit information in a timely manner to support various missions and business functions. The selection of appropriate security and privacy controls for an information system is an important task that can have significant implications on the operations and assets of an organization as well as the welfare of individuals.5 Security and privacy controls are the safeguards or countermeasures prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information.
Anyway, this chapter includes the following parts:
- Purpose and Applicability: This section refers to the purposes of publishing this publication. These goals are: (1) guidelines for building effective security assessment plans and privacy assessment plans, and (2) a comprehensive set of procedures for assessing the effectiveness of security controls and privacy controls employed in information systems and organizations supporting the executive agencies of the federal government. The guidelines include following areas: (1) Enabling more consistent, comparable, and repeatable assessments of security controls and privacy controls with reproducible results. (2) Promoting a better understanding of the risks to organizational operations, organizational assets, individuals, and other organizations. (3) Creating more complete, reliable, and trustworthy information for organizational officials. (4) Facilitating more cost-effective assessments of security controls and privacy controls.
- Target Audience: This publication has a number of target audiences, which are: (1) Individuals with information system development responsibilities (2) Individuals with information security assessment and monitoring responsibilities (3) Individuals with information system, security, privacy, and risk management and oversight responsibilities, and (4) Individuals with information security implementation and operational responsibilities.
- Related publications and assessment processes: This publication is designed to support Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. This includes providing near real-time security- and privacy-related information to organizational officials regarding the ongoing security and privacy state of their systems and organizations. Assessment includes product testing, evaluation, and validation may be conducted on cryptographic modules and general-purpose information technology products such as operating systems, database systems, firewalls, intrusion detection devices, Web browsers, Web applications, smart cards, biometrics devices, personal identity verification devices, network devices, and hardware platforms using national and international standards. Then this evidence is used to the extent that it is applicable. This evidence can be combined with the assessment-related evidence obtained from the application of the assessment procedures in this publication, to cost-effectively produce the information necessary to determine whether the security and privacy controls are effective in their application.
- Organization of this special publication: The remainder of this publication are chapter 2, chapter 3, and supporting appendices.
The second chapter, the “The Fundamentals” chapter describes the basic concepts associated with assessing the security and privacy controls in organizational information systems and the environments in which those systems operate including: (1) the integration of assessments into the system development life cycle, (2) the importance of an organization-wide strategy for conducting assessments, (3) the development of effective assurance cases to help increase the grounds for confidence in the effectiveness of security and privacy controls, and (4) the format and content of assessment procedures. This chapter include four section:
- Assessments within the system development life cycle: Security and privacy assessments can be effectively carried out at various stages in the system development life cycle. This publication provides a comprehensive set of assessment procedures throughout the system development life cycle. For example, privacy assessments are conducted by senior agency officials for privacy/privacy officers and privacy staff in these early life cycle phases as well. This helps to ensure that the required security and privacy controls for the system are properly designed and developed, correctly implemented, and consistent with the established organizational information security architecture before the system enters the operations and maintenance phase. Security assessments are typically conducted by information system owners, common control providers, information system security officers, independent assessors, auditors, and Inspectors General. Privacy assessments are typically conducted by senior agency officials for privacy/privacy officers and privacy staff.
- Strategy for conducting control: An organization-wide strategy begins by applying the initial steps of the Risk Management Framework to all information systems within the organization, with an organizational view of the security categorization process and the security and privacy control selection process. The sharing of assessment results among key organizational officials across information system boundaries has many important benefits including: (1) Providing the capability to review assessment results for all information systems and to make mission/business-related decisions on risk mitigation activities according to organizational priorities, the security categorization of the information systems, and risk assessments, (2) Providing a more global view of systemic weaknesses and deficiencies occurring in information systems across the organization, and (3) Increasing the organization’s knowledge base regarding threats, vulnerabilities, and strategies for more cost-effective solutions.
- Building an effective assurance case: It is a process that involves: (1) compiling evidence from a variety of activities conducted during the system development life cycle that the controls employed in the information system are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements of the system and the organization, and (2) presenting this evidence in a manner that decision makers are able to use effectively in making risk-based decisions about the operation or use of the system. Assessors obtain the required evidence during the assessment process. The assessment evidence needed to make such determinations can be obtained from a variety of sources including information technology product and system assessments. Product assessments (also known as product testing, evaluation, and validation) are typically conducted by independent, third-party testing organizations. Assessments can be conducted to demonstrate compliance to industry, national, or international information security standards, privacy standards embodied in applicable laws and policies, and developer/vendor claims.
- Assessment procedures: An assessment procedure consists of a set of assessment objectives, each with an associated set of potential assessment methods and assessment objects. An assessment objective includes a set of determination statements related to the particular security or privacy control under assessment. The determination statements are linked to the content of the security or privacy control (like the security/privacy control functionality) to ensure traceability of assessment results back to the fundamental control requirements. Assessment methods define the nature of the assessor actions and include examine, interview, and test. The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (such as specifications, mechanisms, or activities).
The third chapter, the “The Process” chapter describes the process of assessing the security and privacy controls in organizational information systems and environments of operation including: (1) the activities carried out by organizations and assessors, (2) the development of security and privacy assessment plans, (3) the conduct of control assessments and the analysis, documentation, and reporting of assessment results, and (4) post-assessment report analysis and follow-on activities. This chapter includes five sections:
- Preparing for security and privacy control assessments: Security and privacy control assessments may be conducted by different organizational entities with distinct oversight responsibilities. However, success requires the cooperation and collaboration among all parties having a vested interest in the organization’s information security or privacy posture, including information system owners, common control providers, authorizing officials, chief information officers, senior information security officers, senior agency officials for privacy/chief privacy officers, chief executive officers/heads of agencies, security and privacy staffs, Inspectors General, and OMB. Preparing for a security or privacy control assessment includes the following key activities: (1) Ensuring that appropriate policies covering security and privacy control assessments, respectively, are in place and understood by all affected organizational elements, (2) Ensuring that all steps in the Risk Management Framework prior to the security or privacy control assessment step, have been successfully completed, (3) Establishing the objective and scope of assessments, (4) Ensuring that security and privacy controls identified as common controls have been assigned to appropriate organizational entities for development and implementation, (5) Notifying key organizational officials of impending assessments and allocating necessary resources to carry out the assessments, (6) Establishing appropriate communication channels among organizational officials, (7)Establishing time frames for completing the assessments and key milestone decision points, (8) Identifying and selecting competent assessors/assessment teams, (9) Collecting artifacts to provide to the assessors/assessment teams (e.g., policies, procedures, plans, specifications, designs, records, information system documentation, and legal requirements), and (10) Establishing a mechanism between the organization and the assessors and/or assessment teams to minimize ambiguities or misunderstandings about the implementation of security or privacy controls and security/privacy control weaknesses/deficiencies identified during the assessments.
- Developing security and privacy assessment plans: These processes provide the objectives for the security and privacy control assessments, respectively, and a detailed roadmap of how to conduct such assessments. These plans may be developed as one integrated plan or as distinct plans, depending upon organizational needs. These plans include following steps: (1) Determine which security and privacy controls/control enhancements are to be included in assessments based upon the contents of the security plan and privacy plan and the purpose and scope of the assessments, (2) Select the appropriate assessment procedures to be used during assessments based on the security or privacy controls and control enhancements to be included in the assessments, (3) Tailor the selected assessment procedures (for example assign depth and coverage attribute values), (4) Develop additional assessment procedures, (5)Optimize the assessment procedures to provide cost-effective assessment solutions, and (6) Finalize assessment plans and obtain the necessary approvals to execute the plans.
- Conducting security and privacy control assessments: After the security assessment plan or privacy assessment plan is approved by the organization, the assessor(s) or assessment team executes the plan in accordance with the agreed-upon schedule. Determining the size and organizational makeup of the assessment team (i.e., skill sets, technical expertise, and assessment experience of the individuals composing the team) is part of the risk management decisions made by the organization requesting and initiating the assessment. The results of security control assessments and privacy control assessments are documented in security assessment reports and privacy assessment reports, respectively, which are key inputs to the authorization package developed by information system owners and common control providers for authorizing officials. Each determination statement contained within an assessment procedure executed by an assessor produces one of the following findings: (1) satisfied (S); or (2) other than satisfied (O). For assessment findings that are other than satisfied, organizations may choose to define subcategories of findings indicating the severity and/or criticality of the weaknesses or deficiencies discovered and the potential adverse effects on organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Defining such subcategories can help to establish priorities for needed risk mitigation actions.
- Analyzing assessment report results: Information system owners and common control providers review the security assessment reports and privacy assessment reports and the updated risk assessment and with the concurrence of designated organizational officials (e.g., authorizing officials, chief information officer, senior information security officer, senior agency officials for privacy/chief privacy officers, mission/information owners), determine the appropriate steps required to respond to those weaknesses and deficiencies identified during the assessment. By using the labels of satisfied and other than satisfied, the reporting format for the assessment findings provides visibility for organizational officials into specific weaknesses and deficiencies in security or privacy controls within the information system or inherited by the system and facilitates a disciplined and structured approach to responding to risks in accordance with organizational priorities. Senior leadership involvement in the mitigation process may be necessary in order to ensure that the organization’s resources are effectively allocated in accordance with organizational priorities.
- Assigning security and privacy capabilities: Organizations may define a set of security capabilities or privacy capabilities as a precursor to the security control or privacy control selection process. The concept of capability recognizes that the protection of information being processed, stored, or transmitted by information systems, seldom derives from a single security safeguard or countermeasure. Each control contributes to the overall organization-defined capability.
This article is a summary from of the nist.gov website. With the following link:
For more info please refer to nist.gov