ASSET is the result of a desire to automate some of the steps required to complete a self assessment as defined in NIST Special Publication (SP) 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001. ASSET is a tool that utilizes an extensive questionnaire containing specific control objectives and suggested techniques against which the security of a system or group of interconnected systems can be measured. Responses to the questionnaire are based primarily on an extensive examination of relevant documentation and of test controls. The control objectives stemmed from guidance on security and were obtained directly from long-standing requirements found in statute and policy. This tool should be used in conjunction with the more detailed guidance listed in various NIST and OMB publications. In addition, specific technical controls, such as those related to individual technologies or vendors, are not provided due to their volume and dynamic nature. It should also be noted that an agency might have additional laws, regulations, or policies that establish specific requirements for confidentiality, integrity, or availability. Each agency should decide if additional security controls should be added to the questionnaire and, if so, customize the questionnaire appropriately; this can be done by using the ASSET-Management tool.
ASSET may be used to assess the status of security controls for a system, an interconnected group of systems, or agency-wide. These systems include information, individual systems (e.g., major applications, general support systems, mission critical systems), or a logically related grouping of systems that support operational programs (e.g., Air Traffic Control, Medicare, Student Aid). Assessing all security controls and all interconnected system dependencies provides a metric of the status of IT security at an agency. The results of the assessment can be used as input on the status of an agency’s IT security program.
ASSET assists users in gathering and reporting data for a self-assessment. It does not analyze the data that has been collected. Data analysis is the responsibility of the appropriate IT security manager.