Are you shopping for a comprehensive security assessment, but would like to know what you’re in for before starting? In this post, we’ll break down the process, using an example NIST 800-53 security assessment, so you can determine whether you think you’re ready now, or would perhaps benefit more from a preparatory consulting engagement with a NuHarbor Security team. This guide will help you understand what to expect before, during, and after a security assessment, as well as what sort of value a controls assessment can bring to your organization.
In ideal circumstances, organizations will have completed a formal risk assessment to understand threats and vulnerabilities to their environment and the information they protect. Once the results of a risk assessment have been obtained, organizations can select controls from a framework, such as NIST 800-53, to help treat their risk, thereby making their information security (IS) program risk-informed. While it is our general recommendation that organizations follow this model, this isn’t always the case due to time and resource constraints. Regardless, NuHarbor will be more than happy to guide any organization through this process.
Many organizations mistake an assessment for an audit and will use the terms interchangeably. We always begin by allaying those fears and state that we’re here as a partner to help. We encourage client staff members to be more relaxed. Working this way helps us identify even more areas for improvement because employees are no longer concerned their job may be in jeopardy, and are more interested in identifying and resolving shortcomings, rather than pointing blame or passing the buck. In turn, we’ve also found that this approach fosters a culture of security mindedness, paying dividends to the organization in the future.
A NIST 800-53 security assessment usually takes place over a period of 4-6 weeks, depending on the size of the organization and the scope of the assessment. Our focus is on the mission-critical areas of an organization’s business.
A NIST 800-53 security assessment process can be described in several phases, commonly occurring one right after the other:
Security Assessment Phase 1: Document Review (Approximately 1 week, remote)
Leading up to the start of the engagement, we send a document request list (DRL) detailing common Information Security (IS) program artifacts. IS documentation is generally comprised of policies, procedures, and standards that articulate the current security program and practices of the client. Clients exchange any available documentation and answer some limited questions via phone or email during this phase.
Documentation review helps us understand the structure and components of an organization’s IS program and allows us to develop contextually relevant questions for phase 2.
Security Assessment Phase 2: Staff Interviews and assurance testing (Approximately 1-2 weeks, onsite or remote)
During this phase, we interview various organization team members with roles that relate to NIST control families. Questions pertain to items from documentation review, clarifying local procedures, how various controls are implemented. In addition to interviews, NuHarbor will conduct assurance testing of key controls, and gather additional artifacts that demonstrate implementation and effectiveness of controls.
Security Assessment Phase 3: Report delivery / and review (Approximately 2-3 weeks, remote)
Following phases 1 and 2, our analysts will review the security assessment output and develop:
- A report that includes a 3-4 page executive overview describing a high-level overview of identified control gaps, suggested improvements, and compliance dashboards.
- A detailed compliance spreadsheet which provides an assessment of each control to include implementation status, a priority level for remediation, and high-level notes about potential remedies or recommendations.
During this time, clarifying questions may be asked by email or phone.
Once the report and spreadsheet are delivered, organizations are asked to review them during a defined time period. At the end of this review period, NuHarbor usually hosts a teleconference to answer any questions, or clarify information in the report. Following this meeting, final copies of the report and spreadsheet are released to the organization.
Many organizations will present our report to their executive leadership team to demonstrate a birds-eye view of their organization’s security posture. Directors of Information Security or other department managers may utilize the spreadsheet to track control-by-control implementation and use the spreadsheet as a working document.
Some significant benefits of a NuHarbor Security NIST 800-53 Security Assessment project:
- Increased understanding of how to use NIST 800-53 and select appropriate controls
- Executive and organizational awareness of the overall security posture
- Better understanding of the effectiveness of existing security control
- Ability to correlate security controls and risks
- General recommendations for major control gaps
- Prioritization of remediation efforts to help you get started
- Ability to communicate current control implementation to partners and customers
If you have additional questions or would like to get started with a NIST 800-53 controls assessment, please feel free to contact us!
Mat Kittle
Senior Information Assurance Analyst
For more information, please visit our NIST security assessment services page here: https://nuharborsecurity.com/fisma-compliance
For information on upcoming changes that may affect NIST 800-53 Security Assessments, check out this helpful blog post: https://nuharborsecurity.com/nist-800-53-rev-5-draft/
For general information on NIST 800-53, please visit the official NIST page here: https://nvd.nist.gov/800-53