TABLE OF CONTENTS The list of questions in Tables 8.3, 8.4, and 8.5 can be used to develop a Security Self-Assessment. The questions are based on the recommendations set forth in Special Publication 800-26, Security Self-Assessment Guide for Information Technology Systems, August 2001, by the National Institute of Standards. However, additional questions and categories have been added to increase the breadth of coverage. Some of the original rhetoric from NIST 800-26 has been simplified and modified in order to provide clarity. For example, I have changed NIST s reference of Personnel Security to User Trust since securing the personnel was never the intention. Some of the questions may be found in categories different than the original NIST recommendations. Federal laws and regulations, and NIST guidance are cited along with the relevant questions in Tables 8.3, 8.4, and 8.5. If a particular question is not applicable to your information system you can indicate that by inserting N. A. into any of the right-hand columns.
Management security controls refer to security controls that are required and reviewed through organizational accountability processes.
| No. | Questions | L1 | L2 | L3 | L4 |
|---|---|---|---|---|---|
| Risk Management | |||||
| Required by: FISMA 3541 (2)(A) and 3544(b)(1); OMB Circular A-130 III; FISCAM SP-1 Recommended by: NIST SP 800-18; NIST SP 800-30 | |||||
| Are initial risk assessments performed before a system is put into production? | |||||
| Are risk assessments performed on a regular schedule? | |||||
| Are... |
