Assessing an Enterprise Security Program
JDBiggs created the SPA&V methodology to educate system owners, security and privacy professionals and stakeholders on the federal standard for completing a risk assessment on Major Applications and General Support Systems. This chart outlines the nine phases of the risk assessment process as defined by NIST Special Publication 800-30 and performed by JD Biggs & Associates.
The constructs of this chart define the tasks, activities, guidance documentation and tangible outputs for accurately completing each phase. Completing a risk assessment using this standard involves the collection, review and analysis of security program artifacts, physical walk-through of production facilities, one-on-one interviews with stakeholders, and verification & validation of In-Place security controls.
Recommendations are produced after completing analysis (Phases 4, 5, 6 & 7). An Agency or Commercial organization should use this chart in the development of Risk Assessment activities and to measure the performance of internal resources or contracted 3rd parties.
Additional uses of this chart include:
- Increasing the accuracy of Plan of Action & Milestones (POA&M)
- Development and Validation of your Risk Assessment process
- Improving the contents of baseline security requirements and controls
- Developing Project Management Plan
- Cost Projections of risk assessment project
- Populating CSAM, ASSERT and other FISMA Management Tools
- Human Resources – Conducting Resume Reviews and Candidate Interviews