|
|
|
Date Submitted:
06/18/05
Hits: 63 Rating:  based on 0 votes
Introduction to the NSA Infosec Assessment Methodology (IAM)Added by Papergrl
On May 22, 1998 President Clinton signed Presidential Decision Directive 63 (PPD 63). This directive outlined the civilian and governmental responsibility of protecting the US Critical Infrastructure and established the framework for the National Infrastructure Assurance Plan. One portion of the National Infrastructure Assurance Plan mandates that the National Security Agency (NSA) will perform information security assessments of US Government systems. This assessment became known as the NSA's Infosec Assessment Methodology (IAM) Because PDD 63 encompasses such a large number of organizations NSA could not adequately perform the IAM for all of them. Because of this the NSA developed the Infosec Assessment Training and Rating Program (IATRP). The IATRP consist of two parts, the first part is a course designed to train Infosec professionals in the IAM. The second part is a "train the trainer" course the NSA conducts to appraise the Infosec Assessment Capability Maturity Model (IA-CMM.) The NSA Infosec Assessment is conducted by a team of individuals who review the information system security posture of an organization to identify potential vulnerabilities and recommending steps for eliminating or mitigating those vulnerabilities. The IAM consists of 18 core subjects; however these may be modified to ensure the assessment addresses any organization specific elements. These initial 18 core subjects consist of:
The pre-assessment phase lasts for one or two days. This is the time to get an understanding of a customer's mission and organization, and introduce the team to any key points of contacts at the site. Also during this phase the team performing the IAM determines the customer's needs, begins a criticality matrix of the customer's information, identifies the system to be assessed, coordinates logistics with the customer, and devises an assessment plan.. From this visit the assessment team determines information criticality, systems criticality, and any special considerations. The team establishes the scope of the assessment and requests necessary system documentation from the customer. After the initial visit, there is a two to four week period in which the assessment team reviews documentation, conducts a preliminary analysis of the system, establishes the activities to be conducted during the on-site activities phase of the assessment, and formalizes the written Assessment Plan Outline which documents:
The post-assessment phase may last five or six weeks, and allows the team to review any additional documentation, perform further analysis based on information gathered during the on-site visit, finalizes its analysis. At the conclusion of this stage the Assessment team will prepare the final report and present it's to the customer. For more information about the National Security Agency Infosec Assessment Methodology please see: http://www.nsa.gov/isso/iam/iam.htm You don't have permission to post replies. Please login or register. |