The Federal System’s Need for a Security Assessment Process: Part 1
By Kellep Charles of SecurityOrb
Federal agencies, due to Federal Information Security Management Act (FISMA) requirements, are obligated to assess the effectiveness of their systems, as well as the security controls that are in place as part of the certification and accreditation (C&A) process before operations can be approved.
Due to the growing threat to federal systems, security assessments are the key to supporting system owners with a detailed understanding of the strengths and weaknesses of their organization’s information system that supports critical applications and missions.
Furthermore, regular security assessments have become an imperative part of the federal government’s computer and network security posture. In this age, many agencies consist of heterogeneous computing environments, distributed computing and Internet facing systems. Best practices in information security acknowledges merely taking a defensive approach to securing an agency’s information system does not suffice and at times is considered inadequate.
By performing regular security assessments, the agency can bridge that vulnerability gap and allow for a proactive stance towards protecting their information-computing environment.
A security assessment can encompass an array of functions or responsibilities such as “Physical Security” to determine if the agency’s computing servers are stored in a secure location and to establish who has access to the communication facilities. A security assessment can also assess the agency’s “Internet Security” posture to determine how vulnerable the organization’s network is from the Internet. An assessment consisting of an Internet security evaluation aids in the understanding of what risks the organization inherits because of unneeded services allowed to and from the outside world. Lastly, an assessment consisting of “Network Security” can determine what access do employees have to critical files and data. A network security assessment will help an organization determine if an adequate solution for virus and spam protection exist and validate internal password and system configuration policies.
Each or any combination of the above security assessment missions will give an organization a detailed indication of how secure their information computing environment really is and what measures they would need to implement to mitigate the overall threats.
The National Institute of Standard and Technology (NIST) recommends a five-step methodology in their “Security Assessment Summary Template” when conducting an agency based security assessment. The Five Steps are as followed:
Step 1: Identify Threats - This step begins with compiling a threat statement listing potential threat-sources that are applicable to the system.
Step 2: Identify Vulnerabilities - The goal of this step is to develop a list of the system vulnerabilities (flaws or weaknesses) that could be exploited by the potential threat-sources. The identification of vulnerabilities can take many forms based on various types of risk assessments.
Step 3: Analyze Risks - The risk analysis for each vulnerability consists of assessing the threats and compensating controls to determine the likelihood that vulnerability could be exploited and the potential impact should the vulnerability be exploited.
Step 4: Identify Recommended Corrective Actions - The finding and associated risk level was used to determine the recommendations that should be applied as a means to mitigate the risk. When identifying recommendations, the following were taken into consideration: level of effort, costs, emerging technologies, time constraints, and feasibility.
Step 5: Document Results - The results of the risk assessment were documented providing the finding, business impact statement, recommended corrective actions, likelihood, impact, and risk level.
Kellep (@kellepc) is the creator and Executive Editor of SecurityOrb.com (@SecurityOrb), an information security & privacy knowledge-based website with the mission to share and raise awareness of the motives, tools and tactics of the black hat community, and provide best practices and counter measures against malicious events.
Kellep works as a government contractor in the Washington, DC area as an Information Security Analyst with over 15 years of experience the field.
Currently he is completing his Doctorate in Information Assurance at Capitol College, and has served as an Adjunct Professor in their Computer Science department.
His industry certifications include:
Certified Information Systems Security Professional (CISSP)
Cisco Certified Network Associate (CCNA)
Certified Information Systems Auditor (CISA)
National Security Agency - INFOSEC Assessment. Methodology (NSA-IAM)
Information Technology Infrastructure Library version 3 (ITILv3)
Posted on 02/21/2012