The IT Law Wiki
Line 1: Line 1:
== Definition ==
+
== Definitions ==
   
 
A '''security control assessor''' is
 
A '''security control assessor''' is
Line 7: Line 7:
 
{{Quote|[c]onducts a comprehensive [[assessment]] of the management, operational, and technical [[security controls]] employed within or inherited by an [[information system]] to determine the overall [[effectiveness]] of the [[security controls|controls]].<ref>[[Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination]], at 41.</ref>}}
 
{{Quote|[c]onducts a comprehensive [[assessment]] of the management, operational, and technical [[security controls]] employed within or inherited by an [[information system]] to determine the overall [[effectiveness]] of the [[security controls|controls]].<ref>[[Cybersecurity Human Capital: Initiatives Need Better Planning and Coordination]], at 41.</ref>}}
   
{{Quote|an individual, group, or organization responsible for conducting a comprehensive assessment of the management, [[Operational security|operational]], and technical [[security controls]] employed within or inherited by an [[IT]] and [[ICS]] to determine the overall effectiveness of the controls (i.e., the extent to which the controls are [[implement]]ed correctly, operating as intended, and producing the desired outcome with respect to meeting the [[security]] requirements for the [[system]]). Security control assessors also provide an assessment of the severity of weaknesses or deficiencies discovered in the [[IT]] and [[ICS]] and their [[environments of operation]] and recommend corrective actions to address identified [[vulnerabilities]]. In addition to the above responsibilities, security control assessors prepare the final [[security assessment]] report containing the results and findings from the assessment. Prior to initiating the [[security control assessment]], an assessor conducts an assessment of the [[security plan]] to help ensure that the plan provides a set of [[security controls]] for the [[IT]] and [[ICS]] that meet the stated [[security]] requirements.<ref>[[Electricity Subsector Cybersecurity Risk Management Process]], at 74.</ref>}}
+
{{Quote|an individual, group, or organization responsible for conducting a comprehensive assessment of the management, [[Operational security|operational]], and technical [[security controls]] employed within or inherited by an [[IT]] and [[ICS]] to determine the overall effectiveness of the controls (i.e., the extent to which the controls are [[implement]]ed correctly, operating as intended, and producing the desired outcome with respect to meeting the [[security]] requirements for the [[system]]). Security control assessors also provide an assessment of the severity of weaknesses or deficiencies discovered in the [[IT]] and [[ICS]] and their [[environments of operation]] and recommend corrective actions to address identified [[vulnerabilities]]. In addition to the above responsibilities, security control assessors prepare the final [[security assessment]] report containing the results and findings from the assessment. Prior to initiating the [[security control assessment]], an assessor conducts an assessment of the [[security plan]] to help ensure that the plan provides a set of [[security controls]] for the [[IT]] and [[ICS]] that meet the stated [[security]] requirements.<ref>[[Electricity Subsector Cybersecurity Risk Management Process]], App. F, at 74.</ref>}}
   
 
== References ==
 
== References ==

Revision as of 18:14, 10 August 2012

Definitions

A security control assessor is

[is] [t]he individual, group, or organization responsible for conducting a security control assessment.[1]
[c]onducts a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls.[2]
an individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an IT and ICS to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system). Security control assessors also provide an assessment of the severity of weaknesses or deficiencies discovered in the IT and ICS and their environments of operation and recommend corrective actions to address identified vulnerabilities. In addition to the above responsibilities, security control assessors prepare the final security assessment report containing the results and findings from the assessment. Prior to initiating the security control assessment, an assessor conducts an assessment of the security plan to help ensure that the plan provides a set of security controls for the IT and ICS that meet the stated security requirements.[3]

References