SlideShare a Scribd company logo

L6 RMF Phase 5 Assess.pptx

Download as PPTX, PDF
S
StevenTharp2

RMF process

Government & Nonprofit
1 of 14
Phase 5: Assess
Assess Tasks
ASSESSOR SELECTION • Task A-1: Select the appropriate assessor or assessment team for the type of control assessment to be conducted. • Potential Inputs: Security, privacy, and SCRM plans; program management control information; common control documentation; organizational security and privacy program plans; SCRM strategy; system design documentation; enterprise, security, and privacy architecture information; security, privacy, and SCRM policies and procedures applicable to the system. • Expected Outputs: Selection of assessor or assessment team responsible for conducting the control assessment. • Discussion • Assessor Selection – CISO • Audits • Self-Assessment • Control Effectiveness
ASSESSMENT PLAN • Task A-2: Develop, review, and approve plans to assess implemented controls. • Potential Inputs: Security, privacy, and SCRM plans; program management control information; common control documentation; organizational security and privacy program plans; SCRM strategy; system design documentation; supply chain information; enterprise, security, and privacy architecture information; security, privacy, and SCRM policies and procedures applicable to the system. • Expected Outputs: Security and privacy assessment plans approved by the authorizing official. • Discussion • Assessment Plan Development • When, What, Where and How • Rules of Engagement – POCs; Tools Techniques; Approvals • Scope
ASSESSMENT PLAN • Assessment Plan provides objectives • Two purposes • Establishes expectations • Binds the Assessor to a predetermined level of effort • Types ofAssessments • DevelopmentalTest and Evaluation • IV&V • Assessments supporting authorization or reauthorization; the continuous monitoring assessment; and remediation, or regression, assessments.
CONTROL ASSESSMENTS • Task A-3: Assess the controls in accordance with the assessment procedures described in assessment plans. • Potential Inputs: Security and privacy assessment plans; security and privacy plans; external assessment or audit results (if applicable). • Expected Outputs: Completed control assessments and associated assessment evidence. • Discussion • SDLC (Early – Development Phase) • Cost • Common Controls (Inherited)
CONTROL ASSESSMENTS • Tools • Manual • Steps taken • Automated • Document the settings • Types of Tests • The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of the examine method is to facilitate assessor understanding, achieve clarification, or obtain evidence. • The interview method is the process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. • The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior
CONTROL ASSESSMENTS • Example AC-3(6), Access • Enforcement, which is listed in SP 800-53A, is quoted here: • ASSESSMENT OBJECTIVE: Determine if: • (i) the organization defines the user and/or system information to be encrypted or stored offline in a secure location; and • (ii) the organization encrypts, or stores off-line in a secure location, organization-defined user and/or system information. • Potential assessment methods and objects: • Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. • Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities]. • Test: [SELECT FROM: Automated mechanisms implementing access enforcement functions].
CONTROL ASSESSMENTS • Input: Test Plan • Test Leader/Director • Responsible for the SAR • Freeze the System • Look at Annual Assessments • Incremental Assessments during the SDLC • SSP Review from Phase 2
CONTROL ASSESSMENTS • Requirements • Required Access • Documentation • POCs for interviews
ASSESSMENT REPORTS • Task A-4: Prepare the assessment reports documenting the findings and recommendations from the control assessments. • Potential Inputs: Completed control assessments and associated assessment evidence. • Expected Outputs: Completed security and privacy assessment reports detailing the assessor findings and recommendations. • Discussion • Assessment Report (Findings) • SAR • Documents the results of the testing • Bring forward previous assessments
REMEDIATION ACTIONS • Task A – 5: Conduct initial remediation actions on the controls and reassess remediated controls. • Potential Inputs: Completed security and privacy assessment reports with findings and recommendations; security and privacy plans; security and privacy assessment plans; organization- and system-level risk assessment results. • Expected Outputs: Completed initial remediation actions based on the security and privacy assessment reports; changes to implementations reassessed by the assessment team; updated security and privacy assessment reports; updated security and privacy plans including changes to the control implementations. • Discussion • During Development/Post-Development • Meeting on Findings
REMEDIATION ACTIONS • System Owner • Reviews the findings • False Positives • ISSO assists in this process • Meeting • Assessor • SO and ISSO • Determines applicable findings • Unacceptable Risk – Fix Now • Addendum
PLAN OF ACTION AND MILESTONES • Task A-6: Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports. • Potential Inputs: Updated security and privacy assessment reports; updated security and privacy plans; organization- and system-level risk assessment results; organizational risk management strategy and risk tolerance. • Expected Outputs: A plan of action and milestones detailing the findings from the security and privacy assessment reports that are to be remediated. • Discussion • Correct the deficiencies • Residual Risk • Process to fix

Recommended

L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxStevenTharp2
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
Tqm quality audit
Tqm quality auditTqm quality audit
Tqm quality auditpremsruthi
 
Compliance
ComplianceCompliance
CompliancePriyank Hada
 
Expertise, Consumer-Oriented, and Program-Oriented Evaluation Approaches
Expertise, Consumer-Oriented, and Program-Oriented Evaluation ApproachesExpertise, Consumer-Oriented, and Program-Oriented Evaluation Approaches
Expertise, Consumer-Oriented, and Program-Oriented Evaluation Approachesdctrcurry
 
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptx
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptxhowtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptx
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptxHibatulMuqlis
 
Information system audit
Information system audit Information system audit
Information system audit Jayant Dalvi
 
How to conduct an effective internal quality audit?
How to conduct an effective internal quality audit?How to conduct an effective internal quality audit?
How to conduct an effective internal quality audit?Seetharam Kandarpa ASQ CMQ/OE, CPGP, CQA
 

Recommended

L5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxL5 RMF Phase 4 Implement.pptx
L5 RMF Phase 4 Implement.pptxStevenTharp2
 
Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Information Systems Audit & CISA Prep 2010
Information Systems Audit & CISA Prep 2010Donald E. Hester
 
Tqm quality audit
Tqm quality auditTqm quality audit
Tqm quality auditpremsruthi
 
Compliance
ComplianceCompliance
CompliancePriyank Hada
 
Expertise, Consumer-Oriented, and Program-Oriented Evaluation Approaches
Expertise, Consumer-Oriented, and Program-Oriented Evaluation ApproachesExpertise, Consumer-Oriented, and Program-Oriented Evaluation Approaches
Expertise, Consumer-Oriented, and Program-Oriented Evaluation Approachesdctrcurry
 
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptx
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptxhowtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptx
howtoconductaneffectiveinternalqualityaudit-150913204436-lva1-app6891.pptxHibatulMuqlis
 
Information system audit
Information system audit Information system audit
Information system audit Jayant Dalvi
 
How to conduct an effective internal quality audit?
How to conduct an effective internal quality audit?How to conduct an effective internal quality audit?
How to conduct an effective internal quality audit?Seetharam Kandarpa ASQ CMQ/OE, CPGP, CQA
 
Test Management.pptx
Test Management.pptxTest Management.pptx
Test Management.pptxMAshok10
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Policy, Process, Procedure, Guidelines
Policy, Process, Procedure, GuidelinesPolicy, Process, Procedure, Guidelines
Policy, Process, Procedure, GuidelinesWe Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Fundamentals of Auditing PTC
Fundamentals of Auditing PTCFundamentals of Auditing PTC
Fundamentals of Auditing PTCcarroll sams
 
Fundamentaltestprocess windirohmaheny11453205427 kelase
Fundamentaltestprocess windirohmaheny11453205427 kelaseFundamentaltestprocess windirohmaheny11453205427 kelase
Fundamentaltestprocess windirohmaheny11453205427 kelasewindi rohmaheny
 
Internal_Audit_Presentation.pptx
Internal_Audit_Presentation.pptxInternal_Audit_Presentation.pptx
Internal_Audit_Presentation.pptxkamallochanpalei
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security AssessmentKarthikeyan Dhayalan
 
Audit procedure and standard 500
Audit procedure and standard 500Audit procedure and standard 500
Audit procedure and standard 500HarisShahid13
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
Auditing Principles
Auditing PrinciplesAuditing Principles
Auditing PrinciplesRASHID MAHMOOD
 
Webinar-ISO-9001-Back-to-Basics-Internal-Auditing
Webinar-ISO-9001-Back-to-Basics-Internal-AuditingWebinar-ISO-9001-Back-to-Basics-Internal-Auditing
Webinar-ISO-9001-Back-to-Basics-Internal-Auditingmufajzaposh
 
Internal Audit Training with different .pptx
Internal Audit Training with different .pptxInternal Audit Training with different .pptx
Internal Audit Training with different .pptxBonAlexisGuatato
 
New Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptxNew Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptxRajanVerma67117
 
Software development o & c
Software development o & cSoftware development o & c
Software development o & cAmit Patil
 
mod 4.pdf ppt about the safety at industries
mod 4.pdf ppt about the safety at industriesmod 4.pdf ppt about the safety at industries
mod 4.pdf ppt about the safety at industriesMidhundas31
 
Preparing for validity audits
Preparing for validity auditsPreparing for validity audits
Preparing for validity auditsOfqual Slideshare
 
ASQ CQA Part 1: Auditing Fundamentals
ASQ CQA Part 1: Auditing FundamentalsASQ CQA Part 1: Auditing Fundamentals
ASQ CQA Part 1: Auditing FundamentalsSeetharam Kandarpa ASQ CMQ/OE, CPGP, CQA
 
risk based testing and regression testing
risk based testing and regression testingrisk based testing and regression testing
risk based testing and regression testingToshi Patel
 
L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxStevenTharp2
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxStevenTharp2
 

More Related Content

Similar to L6 RMF Phase 5 Assess.pptx

Test Management.pptx
Test Management.pptxTest Management.pptx
Test Management.pptxMAshok10
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptxdotco
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Fundamentals of Auditing PTC
Fundamentals of Auditing PTCFundamentals of Auditing PTC
Fundamentals of Auditing PTCcarroll sams
 
Fundamentaltestprocess windirohmaheny11453205427 kelase
Fundamentaltestprocess windirohmaheny11453205427 kelaseFundamentaltestprocess windirohmaheny11453205427 kelase
Fundamentaltestprocess windirohmaheny11453205427 kelasewindi rohmaheny
 
Internal_Audit_Presentation.pptx
Internal_Audit_Presentation.pptxInternal_Audit_Presentation.pptx
Internal_Audit_Presentation.pptxkamallochanpalei
 
Audit procedure and standard 500
Audit procedure and standard 500Audit procedure and standard 500
Audit procedure and standard 500HarisShahid13
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
Webinar-ISO-9001-Back-to-Basics-Internal-Auditing
Webinar-ISO-9001-Back-to-Basics-Internal-AuditingWebinar-ISO-9001-Back-to-Basics-Internal-Auditing
Webinar-ISO-9001-Back-to-Basics-Internal-Auditingmufajzaposh
 
Internal Audit Training with different .pptx
Internal Audit Training with different .pptxInternal Audit Training with different .pptx
Internal Audit Training with different .pptxBonAlexisGuatato
 
New Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptxNew Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptxRajanVerma67117
 
Software development o & c
Software development o & cSoftware development o & c
Software development o & cAmit Patil
 
mod 4.pdf ppt about the safety at industries
mod 4.pdf ppt about the safety at industriesmod 4.pdf ppt about the safety at industries
mod 4.pdf ppt about the safety at industriesMidhundas31
 
Preparing for validity audits
Preparing for validity auditsPreparing for validity audits
Preparing for validity auditsOfqual Slideshare
 
risk based testing and regression testing
risk based testing and regression testingrisk based testing and regression testing
risk based testing and regression testingToshi Patel
 

Similar to L6 RMF Phase 5 Assess.pptx (20)

Test Management.pptx
Test Management.pptxTest Management.pptx
Test Management.pptx
 
CISA_WK_2.pptx
CISA_WK_2.pptxCISA_WK_2.pptx
CISA_WK_2.pptx
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Policy, Process, Procedure, Guidelines
Policy, Process, Procedure, GuidelinesPolicy, Process, Procedure, Guidelines
Policy, Process, Procedure, Guidelines
 
Fundamentals of Auditing PTC
Fundamentals of Auditing PTCFundamentals of Auditing PTC
Fundamentals of Auditing PTC
 
Fundamentaltestprocess windirohmaheny11453205427 kelase
Fundamentaltestprocess windirohmaheny11453205427 kelaseFundamentaltestprocess windirohmaheny11453205427 kelase
Fundamentaltestprocess windirohmaheny11453205427 kelase
 
Internal_Audit_Presentation.pptx
Internal_Audit_Presentation.pptxInternal_Audit_Presentation.pptx
Internal_Audit_Presentation.pptx
 
CISSP - Security Assessment
CISSP - Security AssessmentCISSP - Security Assessment
CISSP - Security Assessment
 
Audit procedure and standard 500
Audit procedure and standard 500Audit procedure and standard 500
Audit procedure and standard 500
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
Auditing Principles
Auditing PrinciplesAuditing Principles
Auditing Principles
 
Webinar-ISO-9001-Back-to-Basics-Internal-Auditing
Webinar-ISO-9001-Back-to-Basics-Internal-AuditingWebinar-ISO-9001-Back-to-Basics-Internal-Auditing
Webinar-ISO-9001-Back-to-Basics-Internal-Auditing
 
Internal Audit Training with different .pptx
Internal Audit Training with different .pptxInternal Audit Training with different .pptx
Internal Audit Training with different .pptx
 
New Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptxNew Microsoft PowerPoint Presentation.pptx
New Microsoft PowerPoint Presentation.pptx
 
Software development o & c
Software development o & cSoftware development o & c
Software development o & c
 
mod 4.pdf ppt about the safety at industries
mod 4.pdf ppt about the safety at industriesmod 4.pdf ppt about the safety at industries
mod 4.pdf ppt about the safety at industries
 
Preparing for validity audits
Preparing for validity auditsPreparing for validity audits
Preparing for validity audits
 
ASQ CQA Part 1: Auditing Fundamentals
ASQ CQA Part 1: Auditing FundamentalsASQ CQA Part 1: Auditing Fundamentals
ASQ CQA Part 1: Auditing Fundamentals
 
risk based testing and regression testing
risk based testing and regression testingrisk based testing and regression testing
risk based testing and regression testing
 

More from StevenTharp2

L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxStevenTharp2
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxStevenTharp2
 
L2 RMF Phase 1 Prepare.pptx
L2 RMF Phase 1 Prepare.pptxL2 RMF Phase 1 Prepare.pptx
L2 RMF Phase 1 Prepare.pptxStevenTharp2
 
L4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxL4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxStevenTharp2
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxStevenTharp2
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptxStevenTharp2
 
L8 RMF Phase 7 Monitor.pptx
L8 RMF Phase 7 Monitor.pptxL8 RMF Phase 7 Monitor.pptx
L8 RMF Phase 7 Monitor.pptxStevenTharp2
 
L7 RMF Phase 6 Authorize.pptx
L7 RMF Phase 6 Authorize.pptxL7 RMF Phase 6 Authorize.pptx
L7 RMF Phase 6 Authorize.pptxStevenTharp2
 
L12 CP CMP PIA BIA.pptx
L12 CP CMP PIA BIA.pptxL12 CP CMP PIA BIA.pptx
L12 CP CMP PIA BIA.pptxStevenTharp2
 

More from StevenTharp2 (9)

L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptx
 
L3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptxL3 RMF Phase 2 Categorize.pptx
L3 RMF Phase 2 Categorize.pptx
 
L2 RMF Phase 1 Prepare.pptx
L2 RMF Phase 1 Prepare.pptxL2 RMF Phase 1 Prepare.pptx
L2 RMF Phase 1 Prepare.pptx
 
L4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptxL4 RMF Phase 3 Select.pptx
L4 RMF Phase 3 Select.pptx
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptx
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
 
L8 RMF Phase 7 Monitor.pptx
L8 RMF Phase 7 Monitor.pptxL8 RMF Phase 7 Monitor.pptx
L8 RMF Phase 7 Monitor.pptx
 
L7 RMF Phase 6 Authorize.pptx
L7 RMF Phase 6 Authorize.pptxL7 RMF Phase 6 Authorize.pptx
L7 RMF Phase 6 Authorize.pptx
 
L12 CP CMP PIA BIA.pptx
L12 CP CMP PIA BIA.pptxL12 CP CMP PIA BIA.pptx
L12 CP CMP PIA BIA.pptx
 

Recently uploaded

2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos WebinarLinda Reinstein
 
Get Premium Balaji Nagar Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...
Get Premium Balaji Nagar Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...Get Premium Balaji Nagar Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...
Get Premium Balaji Nagar Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...MOHANI PANDEY
 
Election 2024 Presiding Duty Keypoints_01.pdf
Election 2024 Presiding Duty Keypoints_01.pdfElection 2024 Presiding Duty Keypoints_01.pdf
Election 2024 Presiding Duty Keypoints_01.pdfSamirsinh Parmar
 
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...anilsa9823
 
Item # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfItem # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfahcitycouncil
 
The Economic and Organised Crime Office (EOCO) has been advised by the Office...
The Economic and Organised Crime Office (EOCO) has been advised by the Office...The Economic and Organised Crime Office (EOCO) has been advised by the Office...
The Economic and Organised Crime Office (EOCO) has been advised by the Office...nservice241
 
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...tanu pandey
 
EDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxEDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxaaryamanorathofficia
 
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our EscortsVIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escortssonatiwari757
 
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...aartirawatdelhi
 
Expressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptxExpressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptxtsionhagos36
 
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'IsraëlAntisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'IsraëlEdouardHusson
 
CBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCongressional Budget Office
 
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...ranjana rawat
 
VIP Model Call Girls Kiwale ( Pune ) Call ON 8005736733 Starting From 5K to 2...
VIP Model Call Girls Kiwale ( Pune ) Call ON 8005736733 Starting From 5K to 2...VIP Model Call Girls Kiwale ( Pune ) Call ON 8005736733 Starting From 5K to 2...
VIP Model Call Girls Kiwale ( Pune ) Call ON 8005736733 Starting From 5K to 2...SUHANI PANDEY
 
Postal Ballots-For home voting step by step process 2024.pptx
Postal Ballots-For home voting step by step process 2024.pptxPostal Ballots-For home voting step by step process 2024.pptx
Postal Ballots-For home voting step by step process 2024.pptxSwastiRanjanNayak
 

Recently uploaded (20)

2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar2024 Zoom Reinstein Legacy Asbestos Webinar
2024 Zoom Reinstein Legacy Asbestos Webinar
 
Get Premium Balaji Nagar Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...
Get Premium Balaji Nagar Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...Get Premium Balaji Nagar Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...
Get Premium Balaji Nagar Call Girls (8005736733) 24x7 Rate 15999 with A/c Roo...
 
Election 2024 Presiding Duty Keypoints_01.pdf
Election 2024 Presiding Duty Keypoints_01.pdfElection 2024 Presiding Duty Keypoints_01.pdf
Election 2024 Presiding Duty Keypoints_01.pdf
 
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...
Lucknow 💋 Russian Call Girls Lucknow ₹7.5k Pick Up & Drop With Cash Payment 8...
 
Item # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdfItem # 4 - 231 Encino Ave (Significance Only).pdf
Item # 4 - 231 Encino Ave (Significance Only).pdf
 
(NEHA) Call Girls Nagpur Call Now 8250077686 Nagpur Escorts 24x7
(NEHA) Call Girls Nagpur Call Now 8250077686 Nagpur Escorts 24x7(NEHA) Call Girls Nagpur Call Now 8250077686 Nagpur Escorts 24x7
(NEHA) Call Girls Nagpur Call Now 8250077686 Nagpur Escorts 24x7
 
Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
Call Girls Service Connaught Place @9999965857 Delhi 🫦 No Advance VVIP 🍎 SER...
 
The Economic and Organised Crime Office (EOCO) has been advised by the Office...
The Economic and Organised Crime Office (EOCO) has been advised by the Office...The Economic and Organised Crime Office (EOCO) has been advised by the Office...
The Economic and Organised Crime Office (EOCO) has been advised by the Office...
 
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Junnar ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
EDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptxEDUROOT SME_ Performance upto March-2024.pptx
EDUROOT SME_ Performance upto March-2024.pptx
 
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our EscortsVIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
VIP Call Girl mohali 7001035870 Enjoy Call Girls With Our Escorts
 
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Nanded City Call Me 7737669865 Budget Friendly No Advance Booking
 
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 37 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
Night 7k to 12k Call Girls Service In Navi Mumbai 👉 BOOK NOW 9833363713 👈 ♀️...
 
Expressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptxExpressive clarity oral presentation.pptx
Expressive clarity oral presentation.pptx
 
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'IsraëlAntisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
Antisemitism Awareness Act: pénaliser la critique de l'Etat d'Israël
 
CBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related TopicsCBO’s Recent Appeals for New Research on Health-Related Topics
CBO’s Recent Appeals for New Research on Health-Related Topics
 
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...
↑VVIP celebrity ( Pune ) Serampore Call Girls 8250192130 unlimited shot and a...
 
VIP Model Call Girls Kiwale ( Pune ) Call ON 8005736733 Starting From 5K to 2...
VIP Model Call Girls Kiwale ( Pune ) Call ON 8005736733 Starting From 5K to 2...VIP Model Call Girls Kiwale ( Pune ) Call ON 8005736733 Starting From 5K to 2...
VIP Model Call Girls Kiwale ( Pune ) Call ON 8005736733 Starting From 5K to 2...
 
Postal Ballots-For home voting step by step process 2024.pptx
Postal Ballots-For home voting step by step process 2024.pptxPostal Ballots-For home voting step by step process 2024.pptx
Postal Ballots-For home voting step by step process 2024.pptx
 

L6 RMF Phase 5 Assess.pptx

  • 3. ASSESSOR SELECTION • Task A-1: Select the appropriate assessor or assessment team for the type of control assessment to be conducted. • Potential Inputs: Security, privacy, and SCRM plans; program management control information; common control documentation; organizational security and privacy program plans; SCRM strategy; system design documentation; enterprise, security, and privacy architecture information; security, privacy, and SCRM policies and procedures applicable to the system. • Expected Outputs: Selection of assessor or assessment team responsible for conducting the control assessment. • Discussion • Assessor Selection – CISO • Audits • Self-Assessment • Control Effectiveness
  • 4. ASSESSMENT PLAN • Task A-2: Develop, review, and approve plans to assess implemented controls. • Potential Inputs: Security, privacy, and SCRM plans; program management control information; common control documentation; organizational security and privacy program plans; SCRM strategy; system design documentation; supply chain information; enterprise, security, and privacy architecture information; security, privacy, and SCRM policies and procedures applicable to the system. • Expected Outputs: Security and privacy assessment plans approved by the authorizing official. • Discussion • Assessment Plan Development • When, What, Where and How • Rules of Engagement – POCs; Tools Techniques; Approvals • Scope
  • 5. ASSESSMENT PLAN • Assessment Plan provides objectives • Two purposes • Establishes expectations • Binds the Assessor to a predetermined level of effort • Types ofAssessments • DevelopmentalTest and Evaluation • IV&V • Assessments supporting authorization or reauthorization; the continuous monitoring assessment; and remediation, or regression, assessments.
  • 6. CONTROL ASSESSMENTS • Task A-3: Assess the controls in accordance with the assessment procedures described in assessment plans. • Potential Inputs: Security and privacy assessment plans; security and privacy plans; external assessment or audit results (if applicable). • Expected Outputs: Completed control assessments and associated assessment evidence. • Discussion • SDLC (Early – Development Phase) • Cost • Common Controls (Inherited)
  • 7. CONTROL ASSESSMENTS • Tools • Manual • Steps taken • Automated • Document the settings • Types of Tests • The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The purpose of the examine method is to facilitate assessor understanding, achieve clarification, or obtain evidence. • The interview method is the process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. • The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior
  • 8. CONTROL ASSESSMENTS • Example AC-3(6), Access • Enforcement, which is listed in SP 800-53A, is quoted here: • ASSESSMENT OBJECTIVE: Determine if: • (i) the organization defines the user and/or system information to be encrypted or stored offline in a secure location; and • (ii) the organization encrypts, or stores off-line in a secure location, organization-defined user and/or system information. • Potential assessment methods and objects: • Examine: [SELECT FROM: Access control policy; procedures addressing access enforcement; information system design documentation; information system configuration settings and associated documentation; information system audit records; other relevant documents or records]. • Interview: [SELECT FROM: Organizational personnel with access enforcement responsibilities]. • Test: [SELECT FROM: Automated mechanisms implementing access enforcement functions].
  • 9. CONTROL ASSESSMENTS • Input: Test Plan • Test Leader/Director • Responsible for the SAR • Freeze the System • Look at Annual Assessments • Incremental Assessments during the SDLC • SSP Review from Phase 2
  • 10. CONTROL ASSESSMENTS • Requirements • Required Access • Documentation • POCs for interviews
  • 11. ASSESSMENT REPORTS • Task A-4: Prepare the assessment reports documenting the findings and recommendations from the control assessments. • Potential Inputs: Completed control assessments and associated assessment evidence. • Expected Outputs: Completed security and privacy assessment reports detailing the assessor findings and recommendations. • Discussion • Assessment Report (Findings) • SAR • Documents the results of the testing • Bring forward previous assessments
  • 12. REMEDIATION ACTIONS • Task A – 5: Conduct initial remediation actions on the controls and reassess remediated controls. • Potential Inputs: Completed security and privacy assessment reports with findings and recommendations; security and privacy plans; security and privacy assessment plans; organization- and system-level risk assessment results. • Expected Outputs: Completed initial remediation actions based on the security and privacy assessment reports; changes to implementations reassessed by the assessment team; updated security and privacy assessment reports; updated security and privacy plans including changes to the control implementations. • Discussion • During Development/Post-Development • Meeting on Findings
  • 13. REMEDIATION ACTIONS • System Owner • Reviews the findings • False Positives • ISSO assists in this process • Meeting • Assessor • SO and ISSO • Determines applicable findings • Unacceptable Risk – Fix Now • Addendum
  • 14. PLAN OF ACTION AND MILESTONES • Task A-6: Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports. • Potential Inputs: Updated security and privacy assessment reports; updated security and privacy plans; organization- and system-level risk assessment results; organizational risk management strategy and risk tolerance. • Expected Outputs: A plan of action and milestones detailing the findings from the security and privacy assessment reports that are to be remediated. • Discussion • Correct the deficiencies • Residual Risk • Process to fix