Automated Security Self-Evaluation Tool (ASSET)

Help Files


Introduction

Self-Assessments

A self-assessment conducted on a system (major application or general support system) or multiple self-assessments conducted for a group of interconnected systems (internal or external to the agency) is one method used to measure information technology (IT) security assurance. IT security assurance is the degree of confidence one has that the managerial, technical, and operational security measures work as intended to protect the system and the information it processes. Adequate security of these assets is a fundamental management responsibility. Consistent with Office of Management and Budget (OMB) policy, each agency must implement and maintain a program to adequately secure its information and system assets. Agency programs must: 1) assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability; and 2) protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification.

Agencies must plan for security, ensure that the appropriate officials are assigned security responsibility, and authorize system processing prior to operations and periodically thereafter. These management responsibilities presume that responsible agency officials understand the risks and other factors that could negatively impact their mission goals. Moreover, these officials must understand the current status of security programs and controls in order to make informed judgments and investments that appropriately mitigate risks to an acceptable level.

An important element of ensuring an organization's IT security health is performing routine self-assessments of the agency's security program. For an effective self-assessment, a risk assessment should be conducted in conjunction with or prior to the self-assessment. A self-assessment does not eliminate the need for a risk assessment.

There are many methods and tools for agency officials to help determine the current status of their security programs relative to existing policy. Ideally many of these methods and tools would be implemented on an ongoing basis to systematically identify programmatic weaknesses and where necessary, establish targets for continuing improvement. This tool will assist organizations in completing the self-assessment questionnaire described in NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001.

Description of the ASSET System

ASSET is a tool that utilizes an extensive questionnaire containing specific control objectives and suggested techniques against which the security of a system or group of interconnected systems can be measured. Responses to the questionnaire are based primarily on an extensive examination of relevant documentation and of test controls. The control objectives were obtained directly from long-standing requirements found in guidance, statute, and policy. This tool should be used in conjunction with the more detailed guidance listed in various NIST and OMB publications. In addition, specific technical controls, such as those related to individual technologies or vendors, are not provided due to their volume and dynamic nature. It should also be noted that an agency might have additional laws, regulations, or policies that establish specific requirements for confidentiality, integrity, or availability.

ASSET may be used to assess the status of security controls for a system, an interconnected group of systems, or agency-wide. These systems include information, individual systems (e.g., major applications, general support systems, mission critical systems), or a logically related grouping of systems that support operational programs (e.g., Air Traffic Control, Medicare, Student Aid). Assessing all security controls and all interconnected system dependencies provides a metric of the status of IT security at an agency. The results of the assessment can be used as input on the status of an agency’s IT security program.

ASSET assists users in gathering and reporting data for a self-assessment. It does not analyze the data that has been collected. Data analysis is the responsibility of the appropriate IT security manager.

Audience

The control objectives and techniques presented are generic and can be applied to organizations in private and public sectors. This tool can be used by all levels of management as well as by those individuals responsible for IT security at the system level and organization level. Additionally, internal and external auditors may use the questionnaire to guide their review of the IT security of systems. To perform the examination and testing required to complete the questionnaire, the assessor must be familiar with and able to apply a core knowledge set of IT security basics needed to protect information and systems. In some cases, especially in the area of examining and testing technical controls, assessors with specialized technical expertise will be needed to ensure that the questionnaire’s answers are reliable.

Layout of the ASSET Tool

The ASSET tool consists of five main areas: Assessment Information, Component Identification, Policy, Assessment Questions, and Summary. Tab 1, Assessment Identification, is where the assessor enters all information that is unique to the assessment such as: the system assessors and objectives. Tab 2, Component Identification, is where the assessor enters all the information that identifies particular components that are unique to the system such as: system number, location, criticality, and inter-connected systems. Tab 3, Policy, is where the assessor indicates whether policy has been established for all the major 17 control objectives. Tab 4, Assessment Questions, is the start of the self-assessment and displays each assessment question and the corresponding response. Tab 5, Summary, displays the users current assessment progress and the critical element response table. The critical element response table displays a summary of the responses that were given to each critical element.


·  How to Start an Assessment

·  How to Perform Basic Operations

·  Glossary

·  Frequently Asked Questions

Close Window