INFOSEC - A practice of Leverage Information Systems

toll free 800.825.6680

A growing number of businesses and Federal agencies under government regulation or seeking to follow best practices are taking positive steps to secure their networks from intruders as well as protect their stakeholder’s personal information. While some have made great progress, others are falling dangerously behind in their information security (INFOSEC) efforts.

INFOSEC Services practice has recognized that what was needed was a simple, plain language tool to help IT administrators not only determine what their security stance is, but also what steps to take to identify and address what might be missing.

To fill the void, INFOSEC Services practice has developed the Security Assessment Tool to help enterprises assess their preparedness and to what extent their information technology practices may be considered safe and secure.

The Security Assessment Tool is a self-administered assessment of your enterprise information management practices and systems. Working through 10 questions, the Security Assessment Tool will help identify areas that need attention to meet both regulations and to ensure a better understanding of how to protect data throughout your organization, whether at rest or in transit. Remember, use of this tool should only be viewed as an initial indicator of the security readiness of your enterprise.

For a more comprehensive look at the readiness of your information security efforts INFOSEC Services stands ready to help you assess your IT system and practices and assist you in meeting compliance and best practices requirements. For a confidential review call 1-800-825-6680 and ask for an INFOSEC analyst.

How were system risks determined in support of the risk analysis process?

My organization has objectively identified security risks through our risk analysis process, documented and assessed those risks, and mitigated those risks My organization has identified some security risks, but there are many others My organization has not objectively identified security risks

What is your timeline for implementing information security projects?

My organization is continuing to proceed on our schedule of implementing information security projects and is methodically moving throughout our enterprise network My organization is planning to implement security measures in some areas, although there are others that won’t be implemented until funding becomes available My organization is just trying to keep up with current projects; we don’t have time or resources to take on additional projects involving additional security measures

Do you differentiate between protection of data-at-rest, data-in-transit and how digital authority is protected throughout the system?

My organization is outstanding in differentiating protection between data-at-rest, data-in-transit and operational authority My organization has difficulty in differentiating protection between data-at-rest, data-in-transit and digital authority and needs to better prepare for identifying such distinctions My organization doesn’t differentiate protection between data-at-rest, data-in-transit, and operational authority nor does it have an understanding of how to do it

If you work for a commercial enterprise have the existing processes and results of a Security Test and Evaluation (ST&E) been documented and used to let systems move into an operational status?

My organization has plans and agreements prepared for and approved by the CIO or other authorization authority that enabled a system to become operational My organization has plans and agreements prepared, but they are lacking some detail and are not ready for authorization My organization does not have plans and agreements prepared nor do we know how to prepare a system for operational status

If you work for a Federal agency are there current Authorizations to Operate (ATOs) or Interim ATOs (IATOs) that have been properly prepared and signed off under the CIO’s authority to obtain Certification and Accreditation (C&A) and is the information used to authorize systems to operate?

My organization has ATOs and IATOs that have been properly prepared, signed off by the CIO, and used to authorized the system to operate My organization has ATOs and IATOs that lack critical information and have not been signed off because of uncertainty on the part of the CIO My organization does not have ATOs or IATOs prepared and is uncertain on how to proceed in preparing ATOs and IATOs

Do you maintain a current view into the network and its parts so that at any moment the network can be described down to individual nodes, including licensing, configuration, and operational functions?

My organization has up-to-date documentation and the means to monitor the current state of the network My organization lacks up-to-date documentation and needs additional methods to monitor the entire network My organization does not have any documentation of the network nor does it have the means to capture any view of the network

What planning is in place for incident response and disaster recovery?

My organization has incident response and disaster recovery plans that have worked during an actual event, have been updated to reflect lessons learned, and are tested at least once a year My organization has incident response and disaster recovery plans but they have not been tested nor periodically updated My organization does not have incident response plans nor any disaster recovery plans

What is the current state of documented polices and procedures regarding network security operations (e.g. actions taken by personnel, rules and polices in automated systems, types of data that need additional protection [i.e., sensitive, classified, or propriety data], and levels of designated authority that can be used on the digital system)?

My organization has policies and procedures regarding network security, informs those who are responsible for implementing the policies and procedures, and periodically identifies the need for new or updates to existing policies and procedures My organization has some policies and procedures, but I’m not confident if we’ve covered everything or uncertain those we have My organization does not have policies and procedures regarding network security

Are your personnel trained in comprehending security implications of their administrative functions of the IT hardware and software that falls into their area of responsibility and how are users trained with regard to Information Security (INFOSEC) in accordance with Federal requirements and mandates?

My IT personnel understand the security implications of the areas they oversee and are knowledgeable with the government requirements and mandates that guide our organization My IT personnel have some understanding of security although they could be more familiar with requirements and mandates My IT personnel lack even the basics in understanding security implications of the areas they oversee and have no clue to the relationship between information security and government requirements and mandates

Is your IT architecture and lifecycle management reviewed for security implications?

My organization reviews our architecture periodically and is aggressive in keeping on top of our lifecycle management. My organization reviews our architecture design before major system changes and our lifecycle management undergoes review as well My organization’s IT architecture and lifecycle management are not reviewed for security implications.

(Be sure to answer all the questions.)