NSA INFOSEC Assessment Methodology

The National Security Agency INFOSEC Assessment Methodology (NSA IAM) was developed by the U.S. National Security Agency and incorporated into its INFOSEC Training and Rating Program (IATRP) in early 2002.

NSA INFOSEC Assessment Methodology Concepts

The NSA IAM is an information security assessment methodology that baselines assessment activities. It breaks information security assessments into three phases: pre-assessment, on-site activities, and post-assessment. Each of these phases contains mandatory activities to ensure information security assessment consistency. It is important to note, however, that NSA IAM assessments consist of only documentation review, interviews, and observation. There is no testing done during an NSA IAM assessment. The NSA released the INFOSEC Evaluation Methodology to baseline testing activities.

Pre-assessment Phase

The purpose of the pre-assessment phase is to define customer requirements, set the assessment scope and determine assessment boundaries, gain an understanding of the criticality of the customer's information, and create the assessment plan. The NSA IAM measures both organizational information criticality and system information criticality. Organizational information consists of the information required to perform major business functions. System information then is identified by analyzing the information that is processed by the systems that support the major business functions.

The NSA IAM provides matrices that are used to analyze information criticality. A matrix is created for each organization/business function and each system that supports the organization. The vertical axis consists of the information types, whereas the horizontal axis includes columns for confidentiality, integrity, and availability. Information criticality impact values are assigned for each cell. Table 13-1 is an example of a human resources organization information criticality matrix.

Table 13-1: Organizational Information Criticality Matrix

Information Type












Employee performance appraisals




On-Site Activities Phase

The on-site activities phase consists of validating pre-assessment-phase conclusions, gathering assessment data, and providing initial feedback to customer stakeholders. There are 18 baseline areas that are evaluated during an IAM assessment:

  • Information security documentation such as policies, procedures, and baselines

  • Roles and responsibilities

  • Contingency planning

  • Configuration management

  • Identification and authentication

  • Account management

  • Session controls

  • Auditing

  • Malicious code protection

  • System maintenance

  • System assurance

  • Networking/connectivity

  • Communications security

  • Media controls

  • Information classification and labeling

  • Physical environment

  • Personnel security

  • Education, training, and awareness

Post-assessment Phase

Once the assessment information is gathered, it is analyzed and consolidated into a report in the final post-assessment phase. The final report includes an executive summary, recognition of good security practices, and a statement regarding the overall information security posture of the organization. Additional information regarding the NSA INFO-SEC Assessment and Evaluation Methodologies can be found at http://www.iatrp.com.

IT Auditing. Using Controls to Protect Information Assets
It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
Year: 2004
Pages: 159

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net