Table of Contents
Security Control Assessment (SCA)
Security Control Assessment is the principle which ensures that the security policies are enforced in an organization and are meeting their goals and objectives. Security Control Assessment evaluates these security policies implementers and is responsible for the information system if they are complying with stated security goals. SCA evaluates managerial, operational, and technical security controls in an information system to identify correct and effective enforcement of these controls.
Figure 1. NIST-Security Control Assessment Framework
Security Control Assessment result provides the surety or evidence enforcement of security control in an organization as well as its effectiveness over the organization’s system. CSA also reports about the quality of risk management processes including the incident response action plans.
CSA reports are very important. Findings from the CSA process helps to determine the overall effectiveness, reliability, and strength of security controls that are associated with an organization. A well-executed assessment process of security control provides input to enhance the running security control, identifies the weakness and strength of controls, and facilitates a cost-effective approach as a solution.
Asset valuation
Every information has a value. Sensitive and important information or assets are more valuable than unimportant resources. The value of an asset is calculated in the form of cost or its perceived value to an organization.
Methods of Valuation
There are two types of information valuation methods that are as follows:
- Subjective Method
According to the subjective theory of value, the value of an asset is determined by the importance an acting individual places on it. Subjective methods include the creation, dissemination, and collection of data from checklists or surveys.
- Objective Method
Objective valuation is a metric or statistical measure which may provide an objective view of information valuation. They are based on specific quantitative measurements rather than qualitative.
Tangible Asset Valuation
Tangible assets are the physical assets; hence these assets are valued by subtracting depreciation from the original cost. For the assessment purpose, information security professional must know the actual cost of these assets, to estimate the value of assets correctly. Similarly, some of these values are variable depending upon the demand and market value.
Following parameters are considered to estimate the value of tangible assets:
- Actual Cost
- Depreciation
- Market Worth / Value
- Replacement cost comparison
- Cost of competing for an asset with respect to capabilities
Intangible Asset Valuation
Intangible assets are not physical hence these type of assets are classified as definite and indefinite intangible assets.
- Definite Intangible Assets
Intangible assets that have some expiry period. These assets lose their importance and value when the patent expires.
- Indefinite Intangible Assets
Assets that have an indefinite expiration period.
For someone to approximate the value of an intangible asset, the following methods are considered:
- The cost to create and to replace the asset.
- Capitalization of Historic Profits
- Cost Avoidance or Savings
Conclusion:
Security Control Assessment (SCA) is an evaluation process of the different type of controls such as management, operational and security control within an information system. Purpose of this controlled assessment is to validate the requirement of a control, correct implementation, operational & being followed as intended, and result is as desired. It is basically a formal evaluation of a defined set of controls, which may be conducted with the Security Test and Evaluation (ST&E). NIST Special Publication 800-53A Security and Privacy Controls for Federal Information Systems and Organizations ensure the security requirements and enforcement of appropriate security controls. Assessment of risk also examine the selection of appropriate security control and determines the need of additional controls. The resulting set of security controls ensure a reliable & acceptable level of security for an organization.
References:
https://irtsectraining.nih.gov/ISITAdmin_2013/rolebasedtraining-itadmin/part39.htm
https://www.isaca.org/Journal/archives/2016/volume-6/Pages/assessing-security-controls.aspx
https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=906601
https://csrc.nist.gov/Projects/Open-Security-Controls-Assessment-Language
https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8011-1.pdf
https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/Assessment_Procedure.pdf
https://csrc.nist.gov/Projects/Risk-Management/Security-Assessment