Security Assessment: Case Studies for Implementing NSA IAM

NSA has identified 18 baseline INFOSEC classes and categories for the assessment team to focus on to gain security posture information. This list is broken into three categories:
Management aspects
Technical aspects
Operational aspects
The IAM methodology is flexible enough to allow the addition of classes or categories when necessary and/or requested by the customer. Common themes across all 18 baseline INFOSEC classes and categories are documentation and education training and awareness. Are the policies and procedures documented for each area, and are personnel trained on security and its importance in the area?
NSA reorganized the original 18 Baseline INFOSEC classes and categories in 2003 to match the NIST and other DoD guidance that focuses on management, technical, and operational controls (see Table 7.2); you can refer to www.nist.gov for additional details. The original list was not categorized in any form. NSA also took input from students who took previous versions of the IAM training to better update and group the baseline categories. These categories can be found in the IAM training documentation at www.iatrp.com.
| Management | Technical | Operational |
|---|---|---|
| INFOSEC documentation INFOSEC roles and responsibilities Contingency planning Configuration management | Identification and authentication Account management Session controls Auditing Malicious code protection Maintenance System assurance Networking/connectivity Communications security | Media controls Labeling Physical environment Personnel security Education training and awareness |
NIST 800-26: Security Self-Assessment...