The document extensively reviews best practices in security assessments for organizations.
The National Institute of Standards and Technology issued its newest and final copy of guidance for organizations to assess their internal security IT systems, following a draft copy and comment period.
The document, titled “Assessing Security and Privacy Controls in Information Systems and Organizations,” focuses on helping entities manage cybersecurity risks across their individual networks.
“The updated publication provides an assessment approach and procedures—i.e., how to determine if the countermeasures are implemented and achieving the desired effect,” NIST said in an email to Nextgov.
Guidelines included in the final draft emphasize improving organizational assessments of current cybersecurity infrastructure, promoting better cybersecurity awareness among users, enabling cost-effective security assessment procedures and privacy controls, and creating reliable security information for executives.
NIST officials thoroughly review best practices in assessment procedures to determine the effectiveness of the defense software in place. Three phases are associated with this testing, broadly including: preparing, conducting and analyzing assessment results to gauge risk.
“Conducting security and privacy control assessments can be difficult, challenging and resource
Intensive,” the document reads. “Security and privacy control assessments may be conducted by different organizational entities with distinct oversight responsibilities. However, success requires the cooperation and collaboration of all parties with a vested interest in the organization’s information security or privacy posture.”
The guidance concludes by recommending ongoing privacy and security assessments within a given organization.