Unlock the Power of FortiGate Mastery with Our Latest Release Fortinet Certified Associate – FortiGate Operator Course. Enroll Now!
Introduction The recent Official Cybercrime Report projects that by 2025, the cost of cybercrime will have increased to £8.72 trillion. The cybersecurity industry is rapidly
Introduction The Microsoft Power Platform Fundamentals Certification lets you grasp the core concepts and fundamentals required to start on Power Platform. To achieve this certification,
Introduction The demand for scalable, reliable, and secure cloud services has never been higher in today’s digital landscape. AWS Global Infrastructure is a beacon of
Table of Contents
Security Control Assessment is the principle which ensures that the security policies are enforced in an organization and are meeting their goals and objectives. Security Control Assessment evaluates these security policies implementers and is responsible for the information system if they are complying with stated security goals. SCA evaluates managerial, operational, and technical security controls in an information system to identify correct and effective enforcement of these controls.
Figure 1. NIST-Security Control Assessment Framework
Security Control Assessment result provides the surety or evidence enforcement of security control in an organization as well as its effectiveness over the organization’s system. CSA also reports about the quality of risk management processes including the incident response action plans.
CSA reports are very important. Findings from the CSA process helps to determine the overall effectiveness, reliability, and strength of security controls that are associated with an organization. A well-executed assessment process of security control provides input to enhance the running security control, identifies the weakness and strength of controls, and facilitates a cost-effective approach as a solution.
Every information has a value. Sensitive and important information or assets are more valuable than unimportant resources. The value of an asset is calculated in the form of cost or its perceived value to an organization.
There are two types of information valuation methods that are as follows:
According to the subjective theory of value, the value of an asset is determined by the importance an acting individual places on it. Subjective methods include the creation, dissemination, and collection of data from checklists or surveys.
Objective valuation is a metric or statistical measure which may provide an objective view of information valuation. They are based on specific quantitative measurements rather than qualitative.
Tangible assets are the physical assets; hence these assets are valued by subtracting depreciation from the original cost. For the assessment purpose, information security professional must know the actual cost of these assets, to estimate the value of assets correctly. Similarly, some of these values are variable depending upon the demand and market value.
Following parameters are considered to estimate the value of tangible assets:
Intangible assets are not physical hence these type of assets are classified as definite and indefinite intangible assets.
Intangible assets that have some expiry period. These assets lose their importance and value when the patent expires.
Assets that have an indefinite expiration period.
For someone to approximate the value of an intangible asset, the following methods are considered:
Security Control Assessment (SCA) is an evaluation process of the different type of controls such as management, operational and security control within an information system. Purpose of this controlled assessment is to validate the requirement of a control, correct implementation, operational & being followed as intended, and result is as desired. It is basically a formal evaluation of a defined set of controls, which may be conducted with the Security Test and Evaluation (ST&E). NIST Special Publication 800-53A Security and Privacy Controls for Federal Information Systems and Organizations ensure the security requirements and enforcement of appropriate security controls. Assessment of risk also examine the selection of appropriate security control and determines the need of additional controls. The resulting set of security controls ensure a reliable & acceptable level of security for an organization.
https://irtsectraining.nih.gov/ISITAdmin_2013/rolebasedtraining-itadmin/part39.htm
https://www.isaca.org/Journal/archives/2016/volume-6/Pages/assessing-security-controls.aspx
https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=906601
https://csrc.nist.gov/Projects/Open-Security-Controls-Assessment-Language
https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8011-1.pdf
https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/Assessment_Procedure.pdf
https://csrc.nist.gov/Projects/Risk-Management/Security-Assessment
© 2022 All rights reserved | Privacy Policy | Terms and Conditions | Sitemap
