OVERVIEW (CA-1)

The Assessment and Authorization process is implemented to ensure compliance with our organization's information security policies and is critical to minimizing the threat of breaches. Security assessments are conducted to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for each information system.

Authorization is the process of accepting the residual risks associated with the continued operation of a system and granting approval to operate
for a specified period of time. Authorization to operate information technology assets shall be controlled and managed to ensure that only authorized systems.

It is the purpose of this policy to document the security assessment and authorization process for our organization to establish the necessary
security best practices required to secure our information assets.

We have adopted the Security Assessment and Authorization principles established in NIST SP 800-53 Rev 4 “Security Assessment and Authorization,” control guidelines, as the official policy for this security domain. The following sections in this document outline the Security Assessment and Authorization requirements that each information system must develop, or adhere to in order to be compliant with this policy.

SECURITY ASSESSMENTS (CA-2)

The organization:

  1. Develops an annual Security Assessment Plan (CA001) that describes the scope of the assessment including:
    1. Security controls and control enhancements under assessment
    2. Assessment procedures to be used to determine security control effectiveness
    3. Assessment environment, assessment team, and assessment roles and responsibilities
  2. Assesses the security controls in the information system and its environment of operation annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements
  3. Produces an annual Security Assessment Report (CA002) that documents the results of the assessment
  4. Provides the results of the security control assessment to the CISO.

SECURITY ASSESSMENTS | INDEPENDENT ASSESSORS (CA-2 (1))

The organization employs assessors or assessment teams with an independent third party to conduct security control assessments.

SYSTEM INTERCONNECTIONS (CA-3)

The organization:

  1. Authorizes connections from the information system to other information systems through the use of Interconnection Security Agreements
  2. Documents, for each interconnection, the interface characteristics, security requirements, and the nature of the information communicated
  3. Reviews and updates Interconnection Security Agreements (if there are any) annually.

PLAN OF ACTION AND MILESTONES (CA-5)

The organization:

  1. Develops a Plan of Action and Milestones(POAM) (CA003) for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system
  2. Updates existing plan of action and milestones monthly based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

SECURITY AUTHORIZATION (CA-6)

The organization:

  1. Assigns the CISO as the authorizing official for the information system
  2. Ensures that the authorizing official authorizes the information system for processing before commencing operations
  3. Updates the security authorization every 3 years or if there is any significant change to the information system

CONTINUOUS MONITORING (CA-7)

Our organization has a continuous monitoring strategy and implements a continuous monitoring program that includes:

  1. Establishment of information security metrics that need to be monitored
  2. Establishment of monthly scans (RA002) for monitoring and monthly for assessments supporting such monitoring
  3. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy
  4. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy
  5. Correlation and analysis of security-related information generated by assessments and monitoring
  6. Response actions to address results of the analysis of security-related information
  7. Reporting the security status of organization and the information system to CISO monthly (included in MR003).

INTERNAL SYSTEM CONNECTIONS (CA-9)

  1. Authorizes internal connections of information system components to the information system
  2. Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.

Reference Information System Components (CM002) as defined in Configuration Management Policy.

AUDIT

  • Quarterly Management Review (MR001) includes assessment of CA-9 (CM002)
  • Annual Management Review (MR002) includes review of this policy including CA-3, CA001 and CA002.
  • Monthly Management Review (MR003) includes assessment and update of CA-5 (CA003) and assessment of RA002