Worksheet : Intro to the NIST SP 800-53A

Assessing the Security Controls in Federal Information Systems and Organizations

Course Learning Outcome(s)

• Describe the components and basic requirements for creating an audit plan to support business and system considerations.

• Describe the parameters required to conduct and report on IT infrastructure audit for organizational compliance.

Auditing in IT is the monitoring and validation of safeguards that are put in place to protect information. These safeguards are categorized as controls. Controls are sets or groups of safeguards that relate to different areas within IT systems such as the implementation of security features in hardware and software, administrative processes such as written administrative polices and user agreements.

Controls are categorized into families which define the type of control to be complied to and classes. Classes include management, operational and technical.

ASSESSMENTS WITHIN THE SYSTEM DEVELOPMENT LIFE CYCLE

Security assessments can be effectively carried out at various stages in the system development life cycle to increase the grounds for confidence that the security controls employed within or inherited by an information system are effective in their application. Assessment activities in the initial system development life cycle phases include, for example, design and code reviews, application scanning, and regression testing.

Security weaknesses and deficiencies identified early in the system development life cycle can be resolved more quickly and in a much more cost-effective manner before proceeding to subsequent phases in the life cycle. The objective is to identify the information security architecture and security controls up front and to ensure that the system design and testing validate the implementation of these controls.

The assessment procedures described in Appendix F of the NIST SP 800-53A can support these types of technical assessments carried out during the initial stages of the system development life cycle.

Security assessments are also routinely conducted by information system owners, common control providers, information system security officers, independent assessors, auditors, and Inspectors General during the operations and maintenance phase of the life cycle to ensure that security controls are effective and continue to be effective in the operational environment where the system is deployed.

For example, organizations assess all security controls employed within and inherited by the information system during the initial security authorization. Subsequent to the initial authorization, the organization assesses the security controls (including management, operational, and technical controls) on an ongoing basis.

The frequency of such monitoring is based on the continuous monitoring strategy developed by the information system owner or common control provider and approved by the authorizing official.

As previously stated, organizations develop controls based on laws, regulations, best practices and industry standards. These controls are audited periodically to validate that processes are in place and working. This responsibility is that of the Auditor also referred to as the Security Control Assessor, who will independently validate these controls to ensure compliance and report the findings to higher authority.

The National Institute of Standards and Technology (NIST) has developed a series of specialized publications that layout the framework for the implementation, operation and management of information Technology. Controls can be found within the NIST Special Publication 800-53A which you can find in the Student Center under Additional Resources.

Refer to the Assessment Procedures in NIST Special Publication 800-53A and complete the following;

1. Complete the table below by determining the 18 Families and their corresponding Classes of controls as described in the NIST Special Publication 800-53 A: