Download Free NIST SP Information Security Testing and Assessment Engagement Templates
Identifies the purpose of the document as well as the organization being tested, the group conducting the testing (or, if an external entity, the organization engaged to conduct the testing), and the purpose of the security test.
Identifies test boundaries in terms of actions and expected outcomes.
1.3. Assumptions and Limitations
Identifies any assumptions made by the organization and the test team. These may relate to any aspect of the test to include the test team, installation of appropriate safeguards for test systems, etc.
Inherent risks exist when conducting information security tests—particularly in the case of intrusive tests. This section should identify these risks, as well as mitigation techniques and actions to be employed by the test team to reduce them.
1.5. Document Structure
Outlines the ROE’s structure, and describes the content of each section.
Information Security Assessment Implementation Checklists
What should organization prepare before perform information security assessment process? NIST recommend the following things to be performed:
1. Establish an information security assessment policy.
This identifies the organization’s requirements for executing assessments, and provides accountability for the appropriate individuals to ensure assessments are conducted in accordance with these requirements. Topics that an assessment policy should address include the organizational requirements with which assessments must comply, roles and responsibilities, adherence to an established assessment methodology, assessment frequency, and documentation requirements.
2. Implement a repeatable and documented assessment methodology.
This provides consistency and structure to assessments, expedites the transition of new assessment staff, and addresses resource constraints associated with assessments. Using such a methodology enables organizations to maximize the value of assessments while minimizing possible risks introduced by certain technical assessment techniques. These risks can range from not gathering sufficient information on the organization’s security posture for fear of impacting system functionality to affecting the system or network availability by executing techniques without the proper safeguards in place. Processes that minimize risk caused by certain assessment techniques include using skilled assessors, developing comprehensive assessment plans, logging assessor activities, performing testing off-hours, and conducting tests on duplicates of production systems (e.g., development systems). Organizations need to determine the level of risk they are willing to accept for each assessment, and tailor their approaches accordingly.
3. Determine the objectives of each security assessment, and tailor the approach accordingly.
Facility and site selection is difficult task to do. There are a lot of criteria that to be avoided or to be prioritize. Selecting the best location from the physical security perspective is a complex task. Before doing this selection process, it's better if you review or go through the checklist and list of criteria of the best facility and location selection.
For each criteria you can create a simple scoring system and based on the calculation you can choose the best facility and site that suit you. Below list of physical security guideline.
- Avoid the iconic, trophy, historic, listed, or high-profile sites and/or locations near such sites
- Avoid the uncontrolled public facilities for vehicles (e.g., tunnels, parking areas, etc.) directly beneath or adjacent to the site
- Seek maximum setback from the street on all facades
- Seek maximum physical separation from neighboring buildings
- Seek convenient external assembly points
- Seek close proximity to emergency services
- Seek easy access to major roads or arteries
- Seek sole building occupancy or sole floor occupancy at a minimum