Security Self-Assessment Report
Security Self-Assessment Report
This report is a derivative of security self-assessment based on the National Institute of Standards and Technology (NIST) special publication 800-26 (SP 800-26) (Swanson). The organization being assessed is an electronics and computer manufacturer’s technical support division technical and physical controls to support the information technology security. We will refer to this organization as Tech Inc., which is a fictitious name for this company.
The support facility is one of three facilities. One located in Canada, another in India, and the chief facility located within the state of Florida. It employs approximately 700 personnel. The hierarchal structure of management is as follows: a vice president, executive managers, floor managers, supervisors, and the technical employees.
All three facilities are connected together through the internet, and the Florida facility, being the main facility, houses the database and all propriety software worth protecting, as well as customers and employee's data. Organizational Reliance on IT.
IT is the heart of this organization; it is a part of their products and thus very valuable. Employees answer customer’s questions and solve their software problems based on information from Expert Solution (ES), which is proprietary software that saves solutions in a database. The importance of ES is that if the employee does not have access to the database or it is corrupted, and then customer’s computer must be shipped to be repaired at a facility in California. This process cost much more than if the customer could perform the simple repair on their own, other costs are the inconvenience of the time for repair to the customer and the organization’s reputation.
Area of study included in Assessment
The following areas were included in the assessment: Risk Management, Review of security controls, Life cycle, Authorize processing, System security plan, Personal security, Physical and environmental protection, Production input/output controls, Contingency plan, Hardware and system software maintenance, Data integrity, Documentation, Security awareness Training and Education, Incident response capability, Identification and authentication, Logical access controls, Audit trails. Risk Management
The organization already has policy and procedures in place for risk management. The plan is fully documented on the form of documents available that mentions risk management plan components. Threats are identified as manmade and natural; there is a great deal of emphasis on the natural threats, since the state of Florida is plagued with tornados and hurricanes as part of its natural phenomena. Internal and external vulnerabilities are listed and required to be tested periodically; so new vulnerabilities can be updates as many are eliminated and unknown ones are added. Security's controls are listed and reviewed periodically. This is mostly internal issue with less dependence on external consultants, rather there are internal security professionals, which are qualified and certified to perform these tasks preferentially. Security's controls are logical and physical control; those controls are stringent and are taken seriously all the time with no exception to the rules. Security's controls are discussed with individuals at the time of employment and are explained to new hire; a scenario is mention during every training session that if the vice president forgets his card (required to enter facility); he will not be allowed on premises to work until he can present it. Security's controls are tested all the time, and there are periodical testing for these controls, including evacuation of building is done every ninety days during idles time. A full contingency plan is in place that takes effect in case of emergency that includes anything from an incident response to a...
References: Swanson, M. (2001, August 1). Security self-assessment guide for information technology systems. Retrieved from http://csrc.nist.gov/
Please join StudyMode to read the full document