Monthly Archives : December 2016

RADcube > 2016 > December
7Dec
security blogNIST focused IT Security Assessment

NIST focused IT Security Assessment

RADCube has immense experience providing IT Security Assessment based on the guidelines of National Institute of Standards and Technology (NIST)

RADCube team works with our client’s compliance officer, system engineers, system/network administrators and any other stakeholders to test the prescribed security controls.  RADCube adheres to the control assessment procedures prescribed by NIST of Interview, Examine, and Test. RADCube works as an independent assessor to verify the security control compliance of the information system. It is during this step, that we develop a security control assessment plan (SAP) to test the security controls.

RADCube team develops the SAP based on the documentation review and the specific instructions of the task request. This plan will follow applicable guidelines including NIST SP 800-53 Revision 4, SP 800-42, Guidelines on Network Security Testing, and Risk Management Framework (RMF) Process Guide and other requirements as prescribed by client. Upon completion of the SAP, it is submitted to the client for approval prior to any testing taking place.

This plan will address the Requirement Traceability Matrix (RTM) for the information system being assessed. These requirements include all three control classes: Management, Operational, and Technical.

For each security control area, the plan will specify:

  • Evaluation and test methodology to be used (in compliance with NIST SP 800-53A Revision (4) ) and the expected results;
  • Roles and responsibilities of each participant –RADCube, client staff, and other participants;
  • Test duration and schedule, including hours of operation (certain tests may have to be conducted after hours);
  • “Rules of Engagement” specifying technical boundaries, level of aggressiveness, and coordination with system operators, system owners, and external entities (if necessary);
  • Reporting format and content guidelines.

The test objectives will be based on the required security controls that need to be in place as determined by the security categorization and required by NIST SP 800-53 Revision 4 requirements.

The test steps will typically be one or a combination of Interview, Examination, and Testing.

Interview – The interview method is the process of conducting discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence.

Examine – The examine method is the process of reviewing, inspecting, observing, studying, or analysing one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of the examine method is to facilitate assessor understanding, achieve clarification, or obtain evidence.

Test – The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behaviour.

RADCube begin all tasks with a thorough review of existing documentation. We utilize our standard checklists to formulate a list of required information to be obtained. RADCube works directly with the client’s security personnel and system owners to ensure that all required information to complete the RMF assignment is available. We will do this through a combination of interviews and examinations of existing policies and standard operating procedures (SOPs), incident response reports, and audit logs, etc. RADCube has developed a tool that organizes NIST SP 800-53 controls by testing method. 

To learn more on our IT Security Assessment, contact us at info@radcube.com

Read More