Security Control Assessment
When performing Security Control Assessment (SCA) activities on Major Applications (MA) or General Support Systems (GSS), either in development or operating in a production environment, a formal process must be established. This methodology is our strategy for completing the review of security and privacy program artifacts, testing all security controls, producing recommendations and briefing stakeholders. The purpose of the SCA Life-cycle Methodology is to add structure to the A&A process and be in compliance with.OMB Memorandums, NIST Special Publications, Federal Information Processing Standards (FIPS), system requirements and internal policies and standards.
JDBiggs & Associates implements this strategy on legacy and modernization systems with positive results that have raised an Agency FISMA score. This methodology may require minor tailoring for a specific environment, security engineering activity and Timeline requirements.
Planning and Review is our project kick-off and establishes in the beginning (1). Scope of the project, (2). Who the individual stakeholders are, (3). What security program artifacts are produced, (4). Timeline for reviewing the contents of these artifacts and (5). Formal acknowledgement by stakeholders that content information is accurate.
Completing a review of Privacy information and Security Categorization establish a clear understanding of the security controls that will be tested.
Additional uses of this chart include:
- Development and Validation of your A&A and Risk Assessment Policies, Standards, and Manual/Guide
- Defining Enterprise Architecture Components for Security & Privacy Activities
- Developing Project Management Plan
- Educating Stakeholders, System Owners, Security & Privacy Professionals