Assess
security controls for the system and its operating environment to determine if
they have been implemented correctly and are operating as intended.
Furthermore, the review and assessment of opportunities for improvement is
necessary to ensure the continuing suitability, adequacy and effectiveness of
the organization’s approach to managing information security.
In conducting a security
assessment, it is important that assessors and system owners first agree to the
scope, type and extent of assessment activities, which may be documented in a
security assessment plan, such that any risks associated with the security
assessment can be appropriately managed. To a large extent, the scope of the
security assessment will be determined by the type of system and security
controls that have been implemented for the system and its operating
environment.
Security
control assessment can be performed in two waves: at first, this could be an
internal review, delivered by an independent person who was not responsible for
implementing the controls. Individuals carrying out these reviews should have
the appropriate skills and experience. In a later stage,
additional assurance can be obtained by an independent 3rd party
review/assessment/audit.
Outcome of the
assessment should be documented and reported to the management who initiated the
review. Any identified issues should be put again to the risk
assessment table or security controls registry, including responsible persons
and implementation deadlines.
created with
HTML Builder .