Federal agencies, due to Federal Information Security Management Act (FISMA) requirements, are obligated to assess the effectiveness of their systems, as well as the security controls that are in place as part of the certification and accreditation (C&A) process before operations can be approved.
Due to the growing threat to federal systems, security assessments are the key to supporting system owners with a detailed understanding of the strengths and weaknesses of their organization’s information system that supports critical applications and missions.
Furthermore, regular security assessments have become an imperative part of the federal government’s computer and network security posture. In this age, many agencies consist of heterogeneous computing environments, distributed computing and Internet facing systems. Best practices in information security acknowledges merely taking a defensive approach to securing an agency’s information system does not suffice and at times is considered inadequate.
By performing regular security assessments, the agency can bridge that vulnerability gap and allow for a proactive stance towards protecting their information-computing environment.
A security assessment can encompass an array of functions or responsibilities such as “Physical Security” to determine if the agency’s computing servers are stored in a secure location and to establish who has access to the communication facilities. A security assessment can also assess the agency’s “Internet Security” posture to determine how vulnerable the organization’s network is from the Internet. An assessment consisting of an Internet security evaluation aids in the understanding of what risks the organization inherits because of unneeded services allowed to and from the outside world. Lastly, an assessment consisting of “Network Security” can determine what access do employees have to critical files and data. A network security assessment will help an organization determine if an adequate solution for virus and spam protection exist and validate internal password and system configuration policies.
Read the rest at the FOSE Blog Site.