In September, the National Institute of Standards and Technology (NIST) released a security self-assessment guide to help both governmental agencies and civilian commercial organizations with a standardized assessment tool to verify and validate their security implementations.
Recognizing that security of operational and customer information and the systems that process the information are a fundamental responsibility for IT management, organizations need to:
· Plan for security
· Ensure that the appropriate personnel are assigned specific security responsibilities
· Authorize system processing prior to operations regularly thereafter
These management responsibilities presume that responsible officials understand the risks and other factors that could adversely affect their goals. Furthermore, E-commerce and other information systems managers must clearly understand the current status of their security programs and the controls in place prior to making informed judgments and investments that appropriately mitigate risk to acceptable levels.
NIST is recommending self-assessment as one vehicle to measure information technology security assurance for all systems or multiple self-assessments conducted for a group of interconnected systems, both internal and external.
Using The Self-Assessment Questionnaire
The questionnaire is suitable for the following purposes:
· System and/or security administrators who know their systems and security controls can quickly gain an understanding of needed security improvements for a system, group of interconnected systems, or the entire organization.
· Evaluation of your security posture using the questionnaire as your guide. The results of the review produces a reliable measure of security effectiveness and may be used to fulfill reporting requirements, prepare for audits, and identify resources needed for operations or improvements.
The questionnaire is not intended to be an all-inclusive list of control objectives and related techniques, but should be used in conjunction with the more detailed guidance listed in Appendix B of the document.
You can obtain your own copy of NIST Special Publication (SP) 800-26, Security Self-Assessment Guide for Information Technology Systems in one of two formats at:
The guide is not intended to establish new security requirements. The control objectives and techniques are abstracted directly from long-standing requirements found in common information security policies and standards, and guidance documents on information security. The document is built on the Federal IT Security Assessment Framework developed by NIST for the Federal Chief Information Officer (CIO) Council. The framework relies on five levels of security status and criteria that are useful for determining if the five levels are adequately implemented. The new document provides guidance for application by identifying 17 control areas, such as those pertaining to identification and authentication (I&A), disaster recovery, and contingency planning. Additionally, the document provides guidance on utilizing the results of the system self-assessment to ascertain the status of the organization’s security program.