Are you shopping for a comprehensive security assessment, but want to know what you’re in for? In this post, we’ll break down the process using an example NIST 800-53 security assessment so you can determine whether you’re ready now or would benefit from a preparatory consulting engagement with NuHarbor. This guide will help you understand what to expect before, during, and after a security assessment, and the value a controls assessment can bring to your organization.
Ideally, organizations will have completed a formal risk assessment to understand threats and vulnerabilities to their environment and the information they protect before launching a controls assessment. Once the results of a risk assessment have been obtained, organizations can select controls from a framework (e.g., NIST 800-53) to help treat their risk, thereby making their information security (IS) program risk-informed. While our general recommendation is that organizations follow this model, this isn’t always the case due to time and resource constraints. Regardless, NuHarbor is prepared to guide any organization through this process.
Many organizations mistake an assessment for an audit and use the terms interchangeably, which can breed internal uncertainty and worry. NuHarbor begins every engagement by allaying those fears – we’re a true partner to the organizations we serve, and encourage client staff to be more relaxed. This helps us identify additional areas for improvement because employees are no longer concerned their jobs may be in jeopardy; they’re more interested in identifying and resolving shortcomings, rather than pointing blame or passing the buck. We’ve also found this approach fosters a culture of security mindedness, paying dividends to the organization in the future.
A NIST 800-53 security assessment usually takes place over a period of 4–6 weeks, depending on the size of the organization and the scope of the assessment. Our focus is on the mission-critical areas of an organization’s business.
A NIST 800-53 security assessment process can be described in several phases, commonly occurring one right after the other.
Leading up to the start of the engagement, NuHarbor sends a document request list (DRL) detailing common IS program artifacts. IS documentation is generally comprised of policies, procedures, and standards that articulate the current security program and practices of the client. During this phase, clients exchange any available documentation and answer limited questions via phone or email.
Documentation review helps us understand the structure and components of an organization’s IS program and allows us to develop contextually relevant questions for phase two.
Security Assessment Phase 2: Staff Interviews and Assurance Testing (Approximately 1-2 weeks – onsite or remote)
During this phase, we interview various client team members with roles that relate to NIST control families. Questions pertain to items from documentation review, clarifying local procedures, and how various controls are implemented. In addition to interviews, NuHarbor will conduct assurance testing of key controls, and gather additional artifacts that demonstrate implementation and effectiveness of controls.
Following phases one and two, our analysts will review the security assessment output and develop:
A report that includes a 3–4-page executive overview describing identified control gaps, suggested improvements, and compliance dashboards at a high-level.
A detailed compliance spreadsheet which provides an assessment of each control to include implementation status, a priority level for remediation, and high-level notes about potential remedies or recommendations.
During this time, clarifying questions may be asked by email or phone.
Once the report and spreadsheet are delivered, organizations are asked to review over a defined period. At the end of this review period, NuHarbor usually hosts a teleconference to answer any questions or clarify information in the report. Following this meeting, final copies of the report and spreadsheet are released to the organization.
Many clients will present our report to their executive leadership team to demonstrate a bird’s-eye view of their organization’s security posture. Information Security Directors or other department managers may use the spreadsheet as a working document to track control-by-control implementation.
Significant benefits of a NuHarbor NIST 800-53 security assessment project include:
Increased understanding of how to use NIST 800-53 and select appropriate controls
Executive and organizational awareness of the overall security posture
Better understanding of the effectiveness of existing security control
Ability to correlate security controls and risks
General recommendations for major control gaps
Prioritization of remediation efforts to use as a starting point
Ability to communicate current control implementation to partners and customers