Imagine you're building a house. You've got blueprints, materials, workers, and a clear vision. But how do you ensure every brick is placed correctly, every beam supports weight as designed, and every window seals properly? You perform inspections. Similarly, when building an information security program, assessments ensure every security and privacy control operates is designed correctly, and effectively safeguards your digital assets and personal information.
But wait—what exactly are control assessments, and how are they done?
What Are Control Assessments?
Control assessments systematically evaluate whether security and privacy controls are implemented correctly, functioning as intended, and effectively meeting an organization's goals and requirements.
These assessments form the backbone of an effective risk management strategy, enabling organizations to:
Verify control effectiveness
Evaluate the quality of their risk management processes
Identify strengths and weaknesses in systems supporting critical operations
Assessment Components
Let's simplify. According to NIST SP 800-53A, a widely respected framework, there are three primary components involved:
1. Assessment Objects
Think of these as your building materials (if you stick to the house analogy). Assessment objects can be:
Specifications: Documents like security policies, privacy plans, and system blueprints.
Mechanisms: Hardware, software, or firmware enforcing security, such as encryption tools or firewalls.
Activities: Security-related actions performed by individuals, such as backups, incident response, or patching.
Individuals: People responsible for using, managing, or overseeing these controls.
2. Assessment Methods
These are the techniques used to evaluate the assessment objects:
Examine: Reviewing documents and artifacts to verify completeness and accuracy.
Interview: Talking with staff to confirm they understand and follow established security practices.
Test: Practical exercises and simulations to ensure systems operate securely under expected conditions.
Each method has two attributes:
Depth (rigor of assessment): basic, focused, comprehensive.
Coverage (scope of assessment): basic, focused, comprehensive.
Both attributes should be tailored to ensure assessments match an organization's risk level and operational needs.
3. Assessment Objectives
Objectives define the goal—what exactly you're verifying. They're expressed through "determination statements." For example, confirming that remote access methods are documented, securely configured, and explicitly authorized.
assessment objective
“A set of determination statements that expresses the desired outcome for the assessment of a control”
Assessment Process
The following visual illustrates the four-step process for performing control assessments as described in NIST SP 800-53A:
An assessment should be planned and conducted according to the following steps:
Prepare for Security and Privacy Control Assessments: Establish roles, responsibilities, and scope, and collect relevant documentation.
Develop Security and Privacy Assessment Plans: Create a detailed plan specifying the methods, objectives, depth, and coverage for each control assessed.
Conduct Security and Privacy Control Assessments: Perform the planned assessments using appropriate methods and document findings.
Analyze Assessment Report Results: Review and analyze findings, identify weaknesses, and determine appropriate risk mitigation strategies.
Let’s have look at an example, without focusing too much on the reporting and follow-up aspect of this process.
Assessment Example (AC-11)
I’m sure many of you have walked into an office looking for a colleague—only to find their computer unlocked and left wide open. To tackle this issue, control AC-11 of NIST SP 800-53 is about temporarily preventing access to systems when users step away briefly from their computers and devices.
Here is the original base control as described in NIST SP 800-53:
ID | Control Statement |
|---|---|
AC-11 | a. Prevent further access to the system by [Selection (one or more): initiating a device lock after [Assignment: organization-defined time period] of inactivity; requiring the user to initiate a device lock before leaving the system unattended]; and b. Retain the device lock until the user reestablishes access using established identification and authentication procedures. |
In short, system locks can be initiated automatically after a defined period of inactivity, or manually, by the user, when leaving their systems and computers.
The question is how can an assessor determine if this control is operating as intended and provide assurance to an organisation regarding the associated threat.
NIST SP 800-53A provides us with the following assessment procedures:
Determine if | |
|---|---|
AC-11_ODP[01] | one or more of the following PARAMETER VALUES is/are selected: {initiating a device lock after AC-11_ODP[02] time period of inactivity; requiring the user to initiate a device lock before leaving the system unattended}; |
AC-11_ODP[02] | time period of inactivity after which a device lock is initiated is defined (if selected); |
DS-AC-11a. | further access to the system is prevented by AC-11_ODP[01] SELECTED PARAMETER VALUES; |
DS-AC-11b. | device lock is retained until the user re-establishes access using established identification and authentication procedures. |
To determine if these conditions are met, we are also given with suggestions for assessment procedures that align with the determination statements.
Assessment methods and procedures | |
|---|---|
AC-11 examine | [SELECT FROM: Access control policy; procedures addressing session lock; procedures addressing identification and authentication; system design documentation; system configuration settings and associated documentation; security plan; system security plan; other relevant documents or records]. |
AC-11 interview | [SELECT FROM: System/network administrators; organizational personnel with information security responsibilities; system developers]. |
AC-11 test | [SELECT FROM: Mechanisms implementing access control policy for session lock]. |
To practically apply these assessment objectives assessors could do the following:
Examine relevant documentation such as access control policies, session lock procedures, system design documents, and system configuration settings. Confirm these documents clearly outline and support the intended use and implementation of the device lock.
Interview system administrators and security personnel to ensure they understand the policies and consistently apply them. Discuss specific scenarios to verify proper knowledge of when and how to activate device locks.
Test the actual device lock mechanisms by simulating inactivity and user-initiated locking scenarios. Observe whether the device lock activates as intended and ensures no further access without proper identification and authentication.
Together these actions can help to validate whether the control is effectively implemented, meets the organization’s security goals, and makes unauthorized system access much harder.
