How to Setup an Assessment for a System using Assessment Accelerator
June 4, 2018
In Part 2 on Assessment Accelerator, we will explore how quickly a system can be setup for an assessment according to an assessment plan.
From the AA toolbar, select the System Information Setting button.
From the Configuration Settings form, enter the System Information for the information system to be assessed. Categorization is important because that defines the security control baseline for the assessment plan. Other attributes such as Type of System and Exposure are strictly metadata at this time.
Select the assessment plan to be conducted. The controls for the assessment plan are listed in the Assessment Plan tab by categorization. To add or remove a control from the list simply add or remove ‘x’.
Controls assigned to core and option years are fully customizable. There is even a custom mode to setup a non-standard assessment such as overlay or re-assessment due to significant change. Based on the selection, the controls applicable to the selection are loaded into the respective control family tabs for the assessment along with their assessment objective, examine, interview and test instructions. This automation generates significant time savings and errors having eliminate the need to look up the corresponding standards for the details (e.g., NIST 800-53A).
The automation computes applicable control statistics accordingly. We know from our experience as assessors that control analytics are most time consuming and now can be produced with just a click!
The Dashboard Thresholds establish the tolerance for risk information for the assessment. The Thresholds can be recomputed based on the actual values derived from all assessments to provide organizationally-specific quantitative approach to risk management.
The Application Settings contain settings and functions including automated skip navigation from one control to another as well as the function to reset all previous assessment control and system information (if the reset all system information is checked).
In the next part we will cover the actual control implementation itself. Stay tuned. More to come.