Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

ca-2(2)

security assessments  | specialized assessments

assessment objective:

Determine if the organization:

ca-2(2)[1]

selects one or more of the following forms of specialized security assessment to be included as part of security control assessments:

ca-2(2)[1][a]

in-depth monitoring;

ca-2(2)[1][b]

vulnerability scanning;

ca-2(2)[1][c]

malicious user testing;

ca-2(2)[1][d]

insider threat assessment;

ca-2(2)[1][e]

performance/load testing; and/or

ca-2(2)[1][f]

other forms of organization-defined specialized security assessment;

ca-2(2)[2]

defines the frequency for conducting the selected form(s) of specialized security assessment;

ca-2(2)[3]

defines whether the specialized security assessment will be announced or unannounced; and

ca-2(2)[4]

conducts announced or unannounced organization-defined forms of specialized security assessments with the organization-defined frequency as part of security control assessments.

potential assessment methods and objects:

Examine: [select from: Security assessment and authorization policy; procedures addressing security assessments; security plan; security assessment plan; security assessment report; security assessment evidence; other relevant documents or records].

Interview: [select from: Organizational personnel with security assessment responsibilities; organizational personnel with information security responsibilities].

Test: [select from: Automated mechanisms supporting security control assessment].