SECURITY SELF-ASSESSMENT GUIDE FOR INFORMATION TECHNOLOGY SYSTEMSMarianne Swanson, Author
Adequate security of information and the systems that process it is a fundamental management responsibility. Federal agencies must plan for security, ensure that the appropriate officials are assigned security responsibility, and authorize system processing prior to operations and periodically thereafter. These management responsibilities presume that responsible agency officials understand the risks and other factors that could negatively impact their mission goals. Moreover, these officials must understand the current status of security programs and controls in order to make informed judgments and investments that appropriately mitigate risks to an acceptable level.
One method used to measure information technology (IT) security assurance is a self-assessment conducted on a system (major application or general support system) or multiple self-assessments conducted for a group of interconnected systems (internal or external to the agency). Self-assessments provide a cost-effective technique for agency officials to determine the current status of their information security programs, mitigate identified weaknesses, and where necessary, establish a target for improvement.
Guidance on the Self-Assessment Process
ITL has issued a new guidance document on the self-assessment process. NIST Special Publication (SP) 800-26, Security Self-Assessment Guide for Information Technology Systems, utilizes an extensive questionnaire containing specific control objectives and techniques against which an unclassified system or group of interconnected systems can be tested and measured. This ITL Bulletin summarizes the new document, available in two formats from http://csrc.nist.gov/publications/nistpubs/index.html. While this guidance document applies primarily to federal agencies, private sector organizations may also find the self-assessment approach a valuable tool.
The guide does not establish new security requirements. The control objectives and techniques are abstracted directly from long-standing requirements found in statute, policy, and guidance on security. The document builds on the Federal IT Security Assessment Framework (Framework) developed by NIST for the Federal Chief Information Officer (CIO) Council. The Framework established the groundwork for standardizing on five levels of security status and criteria agencies could use to determine if the five levels were adequately implemented. The new document provides guidance on applying the Framework by identifying 17 control areas, such as those pertaining to identification and authentication and contingency planning. In addition, the guide provides control objectives and techniques that can be measured for each area.
Finally, the document provides guidance on utilizing the results of the system self-assessment to ascertain the status of the agency-wide security program. The results are obtained in a form that can readily be used to determine which of the five levels specified in the Framework the agency has achieved for each topic area covered in the questionnaire. For example, the group of systems under review may have reached level 4 (Tested and Evaluated Procedures and Controls) in the topic area of physical and environmental protection, but only level 3 (Implemented Procedures and Controls) in the area of logical access controls.
The control objectives and techniques presented are generic and can be applied to organizations in private and public sectors. The document can be used by all levels of management and by those individuals responsible for IT security at the system level and organization level. Additionally, internal and external auditors may use the questionnaire to guide their review of the IT security of systems. To perform the examination and testing required to complete the questionnaire, the assessor must be familiar with and able to apply a core knowledge set of IT security basics needed to protect information and systems. In some cases, especially in the area of examining and testing technical controls, assessors with specialized technical expertise will be needed to ensure that the questionnaire’s answers are reliable.
Uses of the Self-Assessment Questionnaire
The questionnaire can be used for the following purposes:
It is important to note that the questionnaire is not intended to be an all-inclusive list of control objectives and related techniques. Accordingly, it should be used in conjunction with the more detailed guidance listed in Appendix B of the document. In addition, details associated with certain technical controls are not specifically provided due to their voluminous and dynamic nature. Agency managers should obtain information on such controls from other sources, such as vendors, and use that information to supplement this guide.
For a self-assessment to be effective, a risk assessment should be conducted in conjunction with or prior to the self-assessment.
Before the questionnaire can be used effectively, a determination must be made as to the boundaries of the system and the sensitivity and criticality of the information stored within, processed by, or transmitted by the system(s). The security of every system or group of interconnected system(s) must be described in a security plan. If a plan has not been prepared for the system, the completion of the self-assessment will aid in developing the system security plan. Many of the control objectives addressed in the assessment are to be described in the system security plan.
Defining the scope of the assessment requires an analysis of system boundaries and organizational responsibilities. As defined in NIST SP 800-18, Guide for Developing Security Plans for Information Technology Systems, a system is identified by defining boundaries around a set of processes, communications, storage, and related resources. Each element of the system must be under the same direct management control, have the same function or mission objective, have essentially the same operating characteristics and security needs, and reside in the same general operating environment. See http://csrc.nist.gov/publications/nistpubs/index.html for additional guidance from NIST SP 800-18.
Effective use of the questionnaire presumes a comprehensive understanding of the value of the systems and information being assessed. Value can be expressed in terms of the degree of sensitivity or criticality of the systems and information relative to the three basic protection categories of confidentiality, integrity, and availability. In addition, it is helpful to categorize the system or group of systems by sensitivity level, i.e., high, medium, or low.
The self-assessment questionnaire contains three sections: cover sheet, questions, and notes. The questionnaire begins with a cover sheet requiring descriptive information about the major application, general support system, or group of interconnected systems being assessed. The questionnaire provides a hierarchical approach to assessing a system by containing critical elements and subordinate questions. Assessors will need to carefully review the levels of subordinate control objectives and techniques in order to determine what level has been reached for the related critical element. The questionnaire section may be customized by the organization. An organization can add questions, require more descriptive information, and even pre-mark certain questions if applicable. The notes section can be used to document findings and to indicate follow-up actions. The time required to complete an evaluation will vary, as will the needed resources.
Consistent with OMB policy, each agency must implement and maintain a program to adequately secure its information and system assets. An agency program must: 1) assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability; and 2) protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification. Performing a self-assessment and mitigating any of the weaknesses found in the assessment is one way to determine if the system and the information are adequately secured.
Any mention of commercial products or reference to commercial organizations is for information only; it does not imply recommendation or endorsement by NIST nor does it imply that the products mentioned are necessarily the best available for the purpose.