Domain 5 - Audit and Assessment Flashcards
(22 cards)
When does a formal assessment or audit occur?
A formal assessment or audit may also occur whenever there is a need to provide evidence of compliance with a standard or mandate, either for business purposes or because of an external requirement (i.e. regulation).
What is the purpose of external assessments?
External assessments typically support compliance requirements or are intended to provide:
- assurances,
- proof,
- or evidence
to a third party (e.g. regulatory body, customer, business partner, etc) that security needs are met.
What is the purpose of an internally driven assessment?
Internally driven assessments are more often completed to support organizational:
- Due diligence,
- improve capability
- or for internal reporting
within the organization.
What does ISO 27001 require from an assessment part?
For example, ISO 27001 requires a monitoring and internal audit program that includes many similar elements to NIST RMF Assess and Monitor.
This includes controls that specify an independent review of the information security program at planned and recurring intervals.
ISO certification does require that audits be conducted by an accredited certification body, while NIST RMF leaves the auditor selection to the Authorizing Official (AO) within the organization.
During assessment or audit preparation, stakeholders are identified along with their respective roles and responsibilities.
Who does this include?
Stakeholders in this context include anyone:
- involved in the assessment,
- impacted by the assessment (e.g. operational impacts due to disruptions to normal activities),
- or anyone who will utilize the output of the assessment (e.g., board of directors, external customers).
What is one of the most important roles to identify that has significant responsibilities to the assessment/audit?
One of the most important roles to identify that has significant responsibilities to the assessment is the role of the assessor or auditor.
What is an aspect that you need to consider in the assessor/auditor selection process?
One aspect of choosing the correct assessor is to consider their technical expertise and their knowledge of :
- security risk management,,
- the concepts and hardware,
- software,
- or firmware
associated with the assessment.
In the relationship between the assessed and the asssesor - what is very important to protect the integrity of the assessment?
The other main factor to consider is the degree of independence the assessor has from the system owner and/or organization.
In this context, independence means there is no conflict of interest for the assessor or audit in the conduct of the assessment or audit, which allows stakeholders to trust the results.
The assessor or auditor typically develops the _____ based on input from other stakeholders?
Assessment plan
Assessment plans are based on what?
- Security and Privacy plans
- program management documentation
- common control documentation
For the NIST RMF, these plans are reviewed and approved by?
For the NIST RMF, these plans are reviewed and approved by** Authorizing Official (AO) **or Authorizing Official Designated Representative (AO DR), to ensure they are consistent with security and privacy objectives and that they employ appropriate:
- procedures,
- methods,
- techniques,
- tools,
- and automation.
Name a few of the 10 preparatory activities for the assessment plan.
Preparatory activities include:
- Developing a general understanding of the organization’s mission, business and operations.
- Providing information system support to the organization’s operations
- Identifying the general structure and components of the system.
- Identifying organizational entities associated with common controls
- Ensuring common understanding of assessment objectives and scope
- Obtaining necessary documents and artifacts
- Establishing points of contact needed for the assessment
- Obtaining previous assessment results
- Developing detailed security and privacy plans
- Prioritizing and scheduling assessments.
Name a few of the 13 specifics of the assessment plan.
The assessment plan:
- Establishes objective and scope of assessment
- Reviews previous recommendations
- Allocates necessary resources to carry out the assessment
- Establishes time frames and key milestones of the assessment
- Identifies documents and artifacts to be collected and provided to the assessor
- Includes a communication plan to minimize ambiguities and misunderstandings
- Includes detailed assessment procedures and expected results
- Is tailored to the specific scope and objectives
- Lists tools and resources required
- specifies locations and logistics
- Outlines data handling procedures and protection requirements
- Addresses legal considerations
- Establishes a post assessment follow up plan
What are assessment objectives?
The assessment objective is what the organization wants to obtain from the assessment.
Assessments may have multiple objectives, some of which may be obtained form different stakeholders.
The objective is the reason for conducting the assessment and results in value for the organization.
What is the assessment - scope?
Scoping specifically identifies what is and is not part of the assessment.
Assessments may focus on specific systems, an entire organization’s security program (e.g., ISO 27001), or elements of a larger organization or technical infrastructure.
The assessment scope defines the parts, pieces, components, processes, technology, and staff included.
What are assessment - resources?
Resources are those, both human and technical, that are available for the assessment.
The objectives must be accomplished within the bounds of the available resources and schedule limitations.
Resource limitations are often driven by the assessment scope, the cost of utilizing the resources, or the operational impact of using the resources.
Explain assessment - schedule.
Scheduling ensures resources are available at the time necessary to conduct the assessment and minimizes negative impact to the resources used.
This impact includes staff being unavailable for their normal duties, disruptions to normal operations, and the use of technologies that may have performance or technical impact on operations (e.g., running a test that results in system and network slowdowns).
Explain assessment - deliverables.
Deliverables are defined and appropriate formats are set before th assessment.
Deliverables must include the necessary elements to meet the objectives defined for the assessment.
Formats for deliverables are defined to ensure all stakeholder needs will be met by the output of the assessment.
What needs to be done before the assessment can be conducted?
Before conducting the assessment, a detailed plan is developed that identifies specific goals to achieve the overall objectives and assessment procedures.
Name the 4 NIST-defined assessment objects?
-
Specifications.
Document-based artifacts including:- policies,
- procedures,
- plans,
- system security requirements,
- and privacy requirements
-
Mechanisms.
Hardware, software, or firmware safeguards and countermeasures -
Activities.
System operations, management, exercises, administration, and processes. -
Individuals.
People who apply the specifications, mechanisms, or activities.
Name 3 NIST-defined assessment methods and the types of objects they would beused to assess.
-
Test.
Exercising assessment objects under specified conditions to compare actual and expected behavior. Tests can be applied to:- Mechanisms
- Activities
-
Interview.
Conducting discussions and asking questions. Interviews are applied to:- Individuals or groups of individuals.
-
Examine.
Checking, inspecting, reviewing, observing, studying, or analyzing.
Examination can be applied to:- Specifications
- Mechanisms
- Activities
