Starting a Self-Assessment


Logging In

Before the ASSET can be used you must first enter the required login information. The login screen is the first screen that appears when you open the tool. You must enter your full name (first and last) and email address. After entering your information, select Continue. This will take you to an empty screen where you can open an existing assessment, create a new assessment, export an assessment, etc.... Note: once you have logged into the ASSET tool you will become the primary assessor if you start a new assessment.

Creating a New Assessment

To create a new assessment either go to File on the menu bar and select New or Alt + N. Once you have selected New the main self-assessment window will open. You will notice five tabs across the top: Assessment Identification, Component Identification, Policy, Assessment Questions, and Summary. You will always start on the Assessment Identification tab when you create a new assessment.

Assessment Identification

The Assessment Identification tab is where you enter all information that is unique to the assessment such as: the system's assessors and objectives. The first entry in the system assessor's table will always be the name of the primary assessor, which is the person who has logged into the ASSET and has started the new assessment. The primary assessor is responsible for completing and ensuring that all questions are answered or have been flagged for another assessor to answer. To add an assessor to the table select Add Assessor. Once this has been selected a dialog box will appear giving you two choices: to either add a new assessor or add an existing assessor.

The Add New Assessor tab will always be the first tab displayed. To add an assessor you must enter their full name (first and last), phone number, and email address. Once all this information has been entered, select Add Assessor. This will take you back to the Assessment Identification tab where you will see that the assessor has been added and that the name now appears in the system assessor table.

An existing assessor is someone who is in the database as an assessor for another system assessment. If you would like to add an existing assessor select the tab that says Add Existing Assessor. This tab will display a table that has been populated with all of the assessor names that are in the database. Select the name you want and click on Add Assessor. The name will appear in the system assessor table on the Assessment Identification tab.

To delete an assessor highlight the assessor you wish to delete and select Delete Assessor, the assessor's information will be erased from the table.

Help is another function that can be performed on this page and at any time while using the ASSET system. By selecting Help it will open up and display the help files associated with adding and deleting an assessor.

The last function you can perform on this tab is to add the assessment objectives that you have set. These objectives describe the purpose of the assessment and scope.

Once, every thing has been completed on the tab, select Next, which will take you to the next tab, Component Identification.

Component Identification

The Component Identification tab is where all the information that identifies a particular system is entered. This tab allows you to perform several different operations from entering basic information about the system that is being assessed to adding connecting systems. This tab is divided into three main areas: System Identification, System Criticality, and Inter-Connected Systems.

System Identification allows you to enter all the pertinent information, which is unique to the system such as: system name, system number, system type, the location of the system, and the assessment start date. The system name and number have been previously assigned and are the unique identifiers for the system. The system type refers to whether the system is a major application or a general support system. The agency/division/group refers to the physical location where the system resides.

The second area on this tab is System Criticality, which allows you to enter how the system ranks on a scale from high to low in regards to the three main protection categories that are outlined in NIST Special Publication 800-26, Section 2.2. The three main protection categories are: confidentiality, integrity, and availability. Each protection category has a drop down list, which you can use to select the level of criticality. To do so, click on the down arrow and highlight the desired level.

Inter-Connected Systems is the last area on the Component Identification tab. This area allows you to add a connected system, delete a connected system, and to obtain help. To add a connected system you must first select Add System, once selected a dialog box will open that contains two tabs: one for adding a new system and the other for adding a current system that is already in the database. The first tab that is visible when the box appears is Add New System.

To add a new system you must first fill out all the information fields, these are required and must be filled out before you select Add System. If they are not you will receive an error message and will not be able to continue until they are complete. Once filled in, select Add System. Once Add System has been selected you will return to the Component Identification tab where the system's name and information will appear in the table located in the inter-connected systems area.

To add an existing system to the list that has already been stored in the database click on the tab called Current Systems. Current Systems contains a table that has been populated with all the connected systems that have been stored in the database from previous assessments. To add an existing system, highlight the system name and select Add System. Again this will bring you to the Component Identification tab and the name and corresponding system information will be displayed in the table located in the inter-connected systems area.

To delete a system from the list, highlight the system's name on the table in the connected systems area and select Delete System. The system's information will be erased and will no longer appear on the table.

The Help function can be performed at any time while answering the self-assessment. By selecting the Help option next to the Add System and Delete System buttons the help files associated with adding and deleting a system will be displayed.

Once you have entered all the system’s information and all the inter-connecting systems you may precede to the assessment, this is done by selecting Proceed To Assessment or by selecting the Policy tab.

Policy

Once you have selected Proceed To Assessment you are now on the Policy tab. The Policy tab displays all 17 control objectives for the self-assessment and allows you to indicate all the control objectives for which you have established policies. Policy is a document that delineates the security management structure and clearly assigns security responsibilities and lays the foundation necessary to reliably measure progress and compliance. To indicate that a policy had been defined for a control objective, check off the box at the end of each row. Once you have indicated whether policy has been defined for each control objective, select Next. Next will bring you to the Assessment Questions tab.

Assessment Questions

The Assessment Questions tab main function is to collect all the responses to the self-assessment questions. There are two main ways that you can move from question to question. The first is by using the buttons located at the bottom of the screen. The second is by using the assessment map that is located on the left hand side of the screen. To move from question to question using the assessment map highlight the desired question. In order to view the assessment map, open the split pane. To do so, click and drag the arrows on the left hand side of the screen until the assessment map is completely visible. Once you have selected a question it will be displayed on the Assessment Questions tab. For each question the question number, section, critical element, and the question itself is displayed. Your responses to each question are made by checking the effectiveness level (Procedures, Implemented, Tested, Integrated). The responses are contained under the section called Indicate Your Responses. Once you have finished answering a question check off the Question Complete? box. Once this box has been checked off, proceed to another question either by using the assessment map or the Next button. However, if you cannot answer a question you must designate another assessor to answer it; this is done by checking off the Assign to alternate box and by selecting an assessor’s name. Note, at any time while answering the self-assessment questions you can move to the Summary tab; this is done by selecting the Summary tab.

Summary

The Summary tab is the final tab and can be accessed at any time while answering the assessment questions. The Summary tab has three functions: the first of which is to display the current assessment progress. The status bar shows visually and numerically where you are in the assessment process.

The second function of this tab is to display all critical elements and a summary of data. If N/A is checked, one question of the critical element has been selected as N/A. If risk-based decision is checked, one question of the critical element has been selected as a risk-based decision. If policy is not checked, this mean that 'policy' for the parent control objective was not checked in the Policy tab of ASSET (in this case, the last 4 columns will not be checked, despite the answers provided in the questions--i.e. a system must have policy to get a score on the other levels). The last 4 columns of the summary tab report are dependent on the answers to the questions of that critical element. The critical element is only as strong as the weakest question. For instance, if a critical element has 6 questions, and 5 of those questions are assessed as Integrated, and one question is assessed as Tested, the entire critical element is assessed as Tested. Not Applicable questions are not used in the scoring of the critical element.

The last function of this tab allows you to store an assessment or to export an assessment. By storing the assessment you have saved it to the database while exporting allows you to save to a desired location in either a binary data file or an xml file. You can also save an assessment at any time by going to File and Save an Assessment.


Back to Main Page | Close Window