fbpx

Security Control Assessment (SCA) & It’s framework


Security Control Assessment (SCA)

Security Control Assessment is the principle which ensures that the security policies are enforced in an organization and are meeting their goals and objectives. Security Control Assessment evaluates these security policies implementers and is responsible for the information system if they are complying with stated security goals. SCA evaluates managerial, operational, and technical security controls in an information system to identify correct and effective enforcement of these controls.

NIST-Security Control Assessment Framework
Figure 1. NIST-Security Control Assessment Framework

Security Control Assessment result provides the surety or evidence enforcement of security control in an organization as well as its effectiveness over the organization’s system. CSA also reports about the quality of risk management processes including the incident response action plans.

CSA reports are very important. Findings from the CSA process helps to determine the overall effectiveness, reliability, and strength of security controls that are associated with an organization. A well-executed assessment process of security control provides input to enhance the running security control, identifies the weakness and strength of controls, and facilitates a cost-effective approach as a solution.

Asset valuation

Every information has a value. Sensitive and important information or assets are more valuable than unimportant resources. The value of an asset is calculated in the form of cost or its perceived value to an organization.

Methods of Valuation

There are two types of information valuation methods that are as follows:

  1. Subjective Method

According to the subjective theory of value, the value of an asset is determined by the importance an acting individual places on it. Subjective methods include the creation, dissemination, and collection of data from checklists or surveys.

  1. Objective Method

Objective valuation is a metric or statistical measure which may provide an objective view of information valuation. They are based on specific quantitative measurements rather than qualitative.

Tangible Asset Valuation

Tangible assets are the physical assets; hence these assets are valued by subtracting depreciation from the original cost. For the assessment purpose, information security professional must know the actual cost of these assets, to estimate the value of assets correctly. Similarly, some of these values are variable depending upon the demand and market value.

Following parameters are considered to estimate the value of tangible assets:

  • Actual Cost
  • Depreciation
  • Market Worth / Value
  • Replacement cost comparison
  • Cost of competing for an asset with respect to capabilities

Intangible Asset Valuation

Intangible assets are not physical hence these type of assets are classified as definite and indefinite intangible assets.

  1. Definite Intangible Assets

Intangible assets that have some expiry period. These assets lose their importance and value when the patent expires.

  1. Indefinite Intangible Assets

Assets that have an indefinite expiration period.

For someone to approximate the value of an intangible asset, the following methods are considered:

  • The cost to create and to replace the asset.
  • Capitalization of Historic Profits
  • Cost Avoidance or Savings

Conclusion:

Security Control Assessment (SCA) is an evaluation process of the different type of controls such as management, operational and security control within an information system. Purpose of this controlled assessment is to validate the requirement of a control, correct implementation, operational & being followed as intended, and result is as desired. It is basically a formal evaluation of a defined set of controls, which may be conducted with the Security Test and Evaluation (ST&E). NIST Special Publication 800-53A Security and Privacy Controls for Federal Information Systems and Organizations ensure the security requirements and enforcement of appropriate security controls. Assessment of risk also examine the selection of appropriate security control and determines the need of additional controls.  The resulting set of security controls ensure a reliable & acceptable level of security for an organization.

References:

https://irtsectraining.nih.gov/ISITAdmin_2013/rolebasedtraining-itadmin/part39.htm

https://www.isaca.org/Journal/archives/2016/volume-6/Pages/assessing-security-controls.aspx

https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=906601

https://csrc.nist.gov/Projects/Open-Security-Controls-Assessment-Language

https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8011-1.pdf

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/Assessment_Procedure.pdf

https://csrc.nist.gov/Projects/Risk-Management/Security-Assessment

Scroll to Top

Sign-Up with your email address to receive news, new content updates, FREE reports and our most-awaited special discount offers on curated titles !

Loading