Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ca-2

security assessments  

assessment objective:

Determine if the organization:

ca-2(a)

develops a security assessment plan that describes the scope of the assessment including:

ca-2(a)(1)

security controls and control enhancements under assessment;

ca-2(a)(2)

assessment procedures to be used to determine security control effectiveness;

ca-2(a)(3)

ca-2(a)(3)[1]

assessment environment;

ca-2(a)(3)[2]

assessment team;

ca-2(a)(3)[3]

assessment roles and responsibilities;

ca-2(b)

ca-2(b)[1]

defines the frequency to assess the security controls in the information system and its environment of operation;

ca-2(b)[2]

assesses the security controls in the information system with the organization-defined frequency to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established  security requirements;

ca-2(c)

produces a security assessment report that documents the results of the assessment;

ca-2(d)

ca-2(d)[1]

defines individuals or roles to whom the results of the security control assessment are to be provided; and

ca-2(d)[2]

provides the results of the security control assessment to organization-defined individuals or roles.

potential assessment methods and objects:

Examine: [select from: Security assessment and authorization policy; procedures addressing security assessment planning; procedures addressing security assessments; security assessment plan; other relevant documents or records].

Interview: [select from: Organizational personnel with security assessment responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Automated mechanisms supporting security assessment, security assessment plan development, and/or security assessment reporting].