All Security & Privacy charts displayed on the JDBiggs & Associates website are for informational purposes only and do not reflect the most current release.
Assessing an Enterprise Security Program
JD Biggs created the SPA&V methodology to educate system owners, security and privacy professionals and stakeholders on the federal standard for completing a risk assessment on Major Applications and General Support Systems. This chart outlines the nine phases of the risk assesment process as defined by NIST Special Publication 800-30 and performed by JD Biggs & Associates.
The constructs of this chart define the tasks, activities, guidance documentation and tangible outputs for accurately completing each phase. Completing a risk assessment using this standard involves the collection, review and analysis of security program artifacts, physical walkthrough of production facilities, one-on-one interviews with stakeholders, and verification & validation of In-Place security controls.
Recommendations are produced after completing analysis (Phases 4, 5, 6 & 7). An Agency or Commercial organization should use this chart in the development of Risk Assessment acitivities and to measure the performance of internal resources or contracted 3rd parties.
Additional uses of this chart include:
- Increasing the accuracy of Plan of Action & Milestones (POA&M)
- Development and Validation of your Risk Assesment process
- Improving the contents of baseline security requirements and controls
- Developing Project Management Plan
- Cost Projections of risk assessment project
- Populating CSAM, ASSERT and other FISMA Management Tools
- Human Resources - Conducting Resume Reviews and Candidate Interviews