Security Controls Assessment Workshop provides a current and well-developed approach to evaluation and testing of security controls to prove they are functioning correctly in today’s IT systems. This course shows you how to evaluate, examine, and test installed security controls in the world of threats and potential breach actions surrounding all industries and systems. If a system is subject to external or internal threats and vulnerabilities – which most are – then this course will provide a useful guide for how to evaluate the effectiveness of the security controls that are in place.
The Security Control Assessment is a process for assessing and improving information security. It is a systematic procedure for evaluating, describing, testing and examining information system security prior to or after a system is in operation. The security control assessment process is used extensively in the U.S. Federal
Government under the RMF Authorization & Assessment process. Security assessments are conducted to support security authorization events for agencies and organizations. These assessments provide data in a tiered risk management approach to evaluate both strategic and tactical risk across the enterprise.
This security control assessment process identifies vulnerabilities and countermeasures and determines residual risks; then the residual risks are evaluated and deemed either acceptable or unacceptable. More controls must be implemented to reduce unacceptable risk and then re-evaluated. The system may be deployed only when the residual risks are acceptable to the enterprise.
The goal of the assessment activity is to assess the security controls using appropriate assessment procedures to determine the extent to which the controls are: implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
Key Areas
- Review of the SCA role in RMF
- Security Control Assessment Criteria and Requirements
- Assessing Controls – The Process
- Managerial Control Reviews
- Technical Control Reviews
- Operational Control Reviews
- Security Control Assessment Reporting
Learning Objectives
To provide a deep dive into step 4 of the Risk Management Framework in accordance with the NIST SP 800-37.
Framework Connections
The materials within this course focus on the NICE Framework Task, Knowledge, and Skill statements identified within the indicated NICE Framework component(s):
Competency Areas
Feedback
If you would like to provide feedback on this course, please e-mail the NICCS team at NICCS@hq.dhs.gov. Please keep in mind that NICCS does not own this course or accept payment for course entry. If you have questions related to the details of this course, such as cost, prerequisites, how to register, etc., please contact the course training provider directly. You can find course training provider contact information by following the link that says “Visit course page for more information...” on this page.