Security control assessments are intended to be objective evaluations of an information system's security posture, and security assessment reports (SAR) are similarly expected to be accurate and impartial representation of assessment findings.
Coordination and interviewing the right point of contact is crucial in minimizing disruption. For example, you wouldn't interview the system owner on technical controls, and you wouldn't interview an engineer on organizational level processes. In addition, understanding the control requirements and being able to translate it accordingly to the audience is critical for meaningful interviews.
Knowing what evidence/artifacts to observe or request is vital in providing supporting evidence to quality security control assessments. It is essential to understanding who owns the servers, operating system and application. In the case of cloud-based systems, being able to differentiate what security/privacy controls are customer responsibility versus the cloud service provider (CSP) responsibility is major.
Always referring to applicable policy and/or system level documentation within security control assessments allow system stakeholders to see if there are any gaps. The key factor is to have documented policies/procedures that are tailored for your organization's position on security. If you establish policies and procedures and applications to cover all NIST control families, you will be in excellent shape.
Security Assessment Reports
We always submit the report draft to weed out false positives and confirm expectations.
- Consumable recommendations for remediation beyond merely pointing out security weaknesses.
- Account for the organization’s industry, business model, and compliance requirements.
- Augment decision making in balancing risk exposure with the cost of implementing safeguards.
- Strong executive summary to highlight the key findings and recommendations.