Guidelines For Information Assessment Methodologies NIST SP 800 115
With information security assessment methodologies, an organization can confirm that their security systems are working properly and determine any security needs, which aren’t met, in addition to addressing the security weaknesses. In our blog, A Brief Summary Of NIST SP 800-115 - Information Security Testing And Assessment, we have provided the outline of the key elements of assessment methodologies and techniques. Here we are going to explore the guidelines and recommendations of the Information Assessment Methodologies with the reference to NIST SP 800-115.
In most organizations, information security assessment is overlooked since it requires the availability of resources like staff, time, software and hardware. This factor limits, frequency and type of security assessments. However, the resource challenge can be mitigated by the following actions:
- Evaluating the kinds of security examination and tests the enterprise will execute
- Creating a proper methodology
- Determining the required resources
- Structuring the process of assessments to support expected needs
Benefits Of Security Assessment Methodologies:
- Offer structure and consistency to security testing that can reduce testing risks
- Accelerate the transition of new staff designated for assessment
- Address resource constraints linked with security assessments
There are several accepted methodologies available to conduct various forms of information security assessments. The following figure illustrates the phased approach that includes several advantages like simple to follow and offer multiple breaking points for the staff transition:
1. Security Assessment Planning
For a successful security assessment, it is critical to have proper planning. Let us focus on the guidelines for the proper security assessment planning.
Developing A Security Assessment Policy
- An enterprise should create a security assessment policy to offer guidance and direction for their assessments.
- The policy should determine security assessment needs and hold liable those individuals answerable for guaranteeing that assessments fulfil the requirements.
- The policy that is approved should be distributed to the corresponding staff and third parties who are responsible to conduct the security assessments for the enterprise.
- It is essential to review the policy at least annually as well as whenever there is an update in the assessment associated requirements.
Prioritizing & Scheduling Assessments
- An enterprise should decide on choosing systems for the assessment and how frequent these assessments should be accomplished.
- They should consider system categorization, scheduling requirements, expected benefits, resource availability and applicable regulations where security assessment is required while prioritizing the assessments.
- Technical consideration support to determine the frequency of the assessment like a planned system upgrade is conducted before performing testing or waiting until known vulnerabilities are corrected.
Selection & Customizing Techniques
Several factors that organization needs to consider while identifying which techniques must be applied for a certain assessment. These includes:
- Assessment objectives
- Classes of techniques, which can acquire information to provision those objectives
- Proper techniques in each class
- Some techniques demand organization to identify the viewpoint (like internal or external) of the assessors
Determining The Logistics
Addressing logistics include determining entire required resources for performing assessments. They are:
- Selecting the assessment team with appropriate experience and skills
- Selecting locations & environments from which to conduct the assessment
- Obtaining and configuring entire required technical tools
Assessment Plan Development
- It is recommended to document the activities planned to conduct an assessment and other associated information.
- A plan must be created for every security assessment to offer the boundaries and rules to which assessors should adhere.
- The plan must determine the networks and systems to be evaluated, the level and type of testing allowed, data handling requirements, logistic information on the assessment and incident handling guidance.
Addressing Legal Considerations
- An enterprise should assess legal concerns when commencing a security assessment, especially in case the assessment includes intrusive tests or in case the assessments requires to be conducted by an external unit.
- Legal departments may analyze the assessment plan, report privacy concerns & perform other actions with assistance of assessment planning.
Security Assessment Execution
The following details will offer the key element for the assessors to focus on throughout the assessment execution phase.
Assessors require coordination throughout the entire execution phase of the assessment. Coordination requirements are identified by the ROE (Rule Of Engagement) or assessment plan and must be followed accordingly. Assessors should ensure that their coordination should address the following:
- Stakeholders are mindful of the assessment activities, schedule and potential influence the assessment may possess.
- The assessment doesn’t happen during new technology integration, upgrades or other situation when the security of the system is altered.
- Assessors are endowed with needed access levels of the systems and facility, as appropriate.
- Corresponding individuals are informed if an incident takes place to cease the activities until the security incident is reported.
It is important that entire assessor should understand the plan and ROE. They are recommended to periodically review and assess the ROE and plan during the assessment. In case a security incident happens while the assessment is in progress, it should be reported to the corresponding response team. In that situation, the incident team follows the normal escalation process and the assessor must follow the recommended actions in the plan or ROE. The most recommended action is that the assessment process for the system which is influenced by the incident should be stopped.
In the assessment process, it is suggested to perform analysis to determine false positives, determine the root cause of vulnerabilities and categorize vulnerabilities.
For determining false positive, assessors can analyze their findings with a manual examination or automated tools.
An enterprise can categorize their finding based on the security controls & control families in “NIST SP 800-53”. This can support vulnerability analysis, documentation, and remediation.
An enterprise should document the data handling requirements in the ROE or assessment plan, and follow to their governing policies concerning the system vulnerability handling. The following are a recommendation for proper data handling:
- Data Collection - The team should gather relevant details throughout the assessment process. Types of details that assessors require to collect are architecture & configuration data and assessor activities.
- Data Storage - Assessors are responsible to ensure the secure storage of the data that they collected during the security assessment. The information they need to store securely are:
- Assessment Plans & ROE
- Assessment results report
- Documentation on network architecture and system security configuration
- POA & M (Plan Of Action & Milestones) or corrective action plan
Sometimes, the assessment data needs to transmit over the internet. It is essential to ensure the secure data transfer to protect it from the compromise. The recommendations are:
- The ROE or assessment plan should report the need of as well as a process for, transmitting the vital informations
- Encrypt individual files that include sensitive information
- Encrypt communication channels with FIPS-compliant encryption
- Provide details through mailed or delivered soft or hard copies
Data Destruction - When the security assessment information is no longer required, the hard copy documentation, the assessment system & media should be sanitized.
- An enterprise should include the policy on the sanitization needs for their assessment systems.
- Third-party assessors must guarantee that they aware the requirement of the enterprise for sanitization.
Post Testing Activities
In the security assessment execution phase, the findings are expressed in the vulnerabilities perspective, whereas, in the post testing phase, appropriate steps are taken to address the vulnerabilities, which have been identified. Here is the recommendation to translate the findings into effective actions to enhance the security:
- Apart from the analysis which is happened during the testing phase, the final analysis including the mitigation recommendation development needs to conduct after the completion of entire testing activities.
- There may be required to create both technical as well as non-technical mitigation recommendation that requires being developed to address the processes of the organization.
- Example mitigation actions are process, policy & procedure modifications, new security techniques deployment, security architecture modifications and OS & application patches deployment.
Once the analysis gets completed, it is required to generate a report, which identifies network, system, and enterprise vulnerabilities & their mitigation actions. The outcome of the testing can be utilized in the following ways:
- As a reference for tracking the progress of the organization in satisfying security requirements
- As a benchmark for corrective action
- For defining mitigation activities to report determined vulnerabilities
- To evaluate the implementation posture of security requirements
The POA & M offers the program management office along with information and needed actions required to appropriately mitigate risks. As an accompaniment to the POA & M, an enterprise may develop processes or strategies for implementing the plan. An enterprise should consider the following four steps at a minimum during their process of remediation implementation:
- Test the remediation recommendation
- Coordinate with POA & M via the configuration control or configuration management board of the enterprise.
- Mitigation actions should be implemented & verified to guarantee their accurate implementation.
- Continuously update POA & Ms in order to determine actions, which have been completely acquired, partially acquired or pending by other systems.
The above information covered the guidelines that assessors should consider during the information security assessments. The organization can follow these recommendations to determine the effectiveness of their security control.
Hack2Secure is as one of the few global vendors with a capability to deliver End-to-End Information Security programs via Training, Certification (PearsonVUE) and Services across Information Security domains aligned with Industry Security requirements and Best practices. Connect with us to explore more.