Implementing effective security controls for information systems is a vital and complex undertaking. All Federal agencies require cybersecurity control measures in one form or another – and assessing their effectiveness is a challenge.
Due to the complex and quickly evolving nature of cybersecurity threats, it can be difficult to accurately estimate the effectiveness of new or existing security control systems. To evaluate the potential vulnerabilities in a security system, organizations often perform security assessments.
To guide and document security assessments, organizations perform security assessments that involve generating a Security Assessment Report (SAR). These reports provide a summarization of assessment findings and corrective recommendations. To expedite the assessment process, templates can be leveraged to help compile findings as well as guide the assessment itself.
In this article, we’ll explore the security assessment process, the elements of a typical SAR, and where you can find a time-saving SAR template to use for your Federal agency.
A Security Assessment Report (SAR), is a document that presents the findings from security assessments and provides recommendations to address any vulnerabilities or deficiencies found. These security assessments (and the associated generation of SARs) typically occur both at the initial deployment of control systems as well as during periodic checkpoints throughout the life of the control system.
The preparation of the SAR occurs as a result of the security assessment itself and therefore is dependent on conducting the security assessment. Completing a security assessment (and preparing a SAR) typically follows a 6-step process:
Your organization may already have a SAR template to use, but if not, finding a SAR template can drastically improve the efficiency of both generating the report and completing the assessment. You could find a template once the assessment was completed and you were ready to write the SAR, but understanding the content of a SAR often helps to guide the assessment process. It may also be more efficient to fill in the SAR template as the assessment progresses which helps to ensure relevant information is documented promptly.
The goal of this step is to answer what information systems are utilized by your organization and how you are currently protecting them. Gathering relevant system information will give you a baseline for your current security system.
Next, identify what potential threats apply to the assets in your organization. Typically, this threat identification is done in isolation from the current security controls your organization has in place.
Using the information gathered in steps 2 and 3, compare the potential threats to your assets against the security controls your system has in place. Any threats not fully mitigated by a current security system are potential vulnerabilities. You may also wish to rank the vulnerabilities based on probability and severity.
Analyze the vulnerabilities identified in step 4 to determine optimal control recommendations to mitigate these vulnerabilities. This step may require a deep dive into control options to determine the best course of action for controlling or eliminating vulnerabilities based on your organization’s systems and needs.
The last step in the process is compiling the information gathered throughout the assessment into the SAR document. As mentioned in step 1, the SAR could also be compiled throughout the assessment process.
The contents of a SAR will depend upon a variety of factors such as information system type and complexity, frequency of security assessments, and organization size. With this in mind, there are a few key sections that all SARs should likely contain in one form or another.
As detailed as the SAR may be, the document is only useful if the relevant information is conveyed to the key stakeholders. The assessment summary provides a concise overview of the assessment findings without providing all of the supporting details. This provides a “snap-shot” of the assessment such that a person reading the summary would have a good understanding of the key information and outcomes without having to read the rest of the report.
Assessment summaries can be organized in many different ways, but a key piece of information that should be included is a breakdown of the risks identified and their corresponding risk level/category. One effective method of showing this is with a simple breakdown table, which is demonstrated in the IPKeys SAR Template and shown below in Figure 1.
Figure 1: Risk Summary Table (IPKeys SAR Template)
This section summarizes the system overview, security assessment scope, and methodology. Depending on the SAR template you use, these might also be broken down into separate sections (system overview may be separate from methodology for example). The methodology section should include details on vulnerability identification and risk categorization as this will impact how the results are interpreted.
Details provided in this section will often include identified vulnerabilities, risk rankings, and recommended actions. In this section, each vulnerability is usually assigned risk rankings based on potential probability and impact severity. One typical element of this section is a table or graph summarizing the identified vulnerabilities and their associated risk ranking.
The ultimate goal of a security assessment is to improve system security. Recommendations provide the security assessment teams’ assessment of how to best address the identified vulnerabilities. If a vulnerability is complex or difficult to address, the team may also recommend in this section that further investigation into the vulnerability take place to determine an optimal control strategy.
A high-quality SAR template can save an organization significant time (and associated costs) in creating a SAR. But what if your organization does not currently have a preferred SAR template? There are two templates we often use that we’ve conveniently linked both – the FedRAMP SAR Template (word) or the DoD’s RMF SAR Template (excel) provide a great starting point for your SAR.
IPKeys Cyber Partners provides Cyber Security and CIP Compliance solutions for utilities, grid operators, and public safety organizations. Here’s how IPKeys can help you improve your cybersecurity and compliance processes:
The SigmaFlow platform provides a fully customizable, out-of-the-box solution that can automate your compliance and security processes. Our comprehensive and intuitive software solution is designed to keep you organized, automate important tasks, track key processes, and more.
Our experienced team includes industry professionals committed to providing our clients with the highest level of service. From system architecture and engineering to software development and cybersecurity, our team provides our clients with the skill, expertise, and support needed to develop innovative strategies and solutions.
Don’t hesitate to contact us for any of your cyber security or CIP compliance needs!