Introduction

Most agencies require a security self-assessment only in the off years when C&A packages are not required for submission. Performing a security self-assessment is a process by which an agency or organization determines the current security posture of their information systems and infrastructure. A self-assessment helps give you a level of assurance as to how well the management, operational, and technical security controls are working. One of the best guides in how to perform a security self-assessment is Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, November 2001, by the National Institute of Standards.

A security self-assessment is a survey-based audit that is essentially a long list of questions. The survey should be designed to be consistent with the requirements set forth in the Federal Information System Controls Audit Manual (FISCAM), January 1999. GAO auditors and agency inspector generals use FISCAM when reviewing the agency security program including the C&A program. FISCAM is available on the GOA Web site at the following URL: www.gao.gov/special.pubs/ai12.19.6.pdf.

FISCAM includes a significant amount of information on how to audit financial systems. Though following FISCAM guidelines for financial systems is certainly meritorious, for C&A we are more concerned with information technology than with financial statements. However, as far as audits go, many of the same principles used for financial audits apply also to information technology audits and in that regard, the FISCAM guidance is certainly...