The remainder of this special publication is organized as follows:

•Chapter Two describes the fundamental concepts associated with security and privacy control assessments including: (i) the integration of assessments into the system development life cycle; (ii) the importance of an organization-wide strategy for conducting security and privacy control assessments; (iii) the development of effective assurance cases to help increase the grounds for confidence in the effectiveness of the security and privacy controls being assessed; and (iv) the format and content of assessment procedures.

•Chapter Three describes the process of assessing the security and privacy controls in organizational information systems and their environments of operation including: (i) the activities carried out by organizations and assessors to prepare for security and privacy control assessments; (ii) the development of security assessment plans; (iii) the conduct of security and privacy control assessments and the analysis, documentation, and reporting of assessment results; and (iv) the post-assessment report analysis and follow-on activities carried out by organizations.

•Supporting appendices provide detailed assessment-related information including: (i) general references; (ii) definitions and terms; (iii) acronyms; (iv) a description of assessment methods; (v) penetration testing guidelines; (vi) a catalog of assessment procedures that can be used to develop plans for assessing security controls; (vii) content of security assessment reports; (viii) the definition, format, and use of assessment cases; (ix) automation support for ongoing assessments; and (x) a catalog of assessment procedures that can be used to develop plans for assessing privacy controls.