User:HanYao510/Information technology security assessment: Difference between revisions

 

 

Line 15: Line 15:

=== References ===

=== References ===

* National Institute of Standards and Technology. 2008. ”Technical Guide to Information Security Testing and Assessment (SP 800-115).” Gaithersburg, MD: NIST.<ref>{{Cite report |url=https://csrc.nist.gov/pubs/sp/800/115/final|title=Technical Guide to Information Security Testing and Assessment|last=Scarfone|first=Karen|last2=Souppaya|first2=Murugiah|last3=Cody|first3=Amanda|last4=Orebaugh|first4=Angela|date=2008-09-30|publisher=National Institute of Standards and Technology|issue=NIST Special Publication (SP) 800-115|language=en}}</ref>

* National Institute of Standards and Technology. 2012. ”Guide for Conducting Risk Assessments (SP 800-30 Rev.1).” Gaithersburg, MD: NIST.<ref>{{Cite report |url=https://csrc.nist.gov/pubs/sp/800/30/r1/final|title=Guide for Conducting Risk Assessments|last=Initiative|first=Joint Task Force Transformation|date=2012-09-17|publisher=National Institute of Standards and Technology|issue=NIST Special Publication (SP) 800-30 Rev. 1|language=en}}</ref>

* International Organization for Standardization. 2022. ”ISO/IEC 27005:2022 — Information security risk management.” Geneva: ISO/IEC.<ref>{{Cite web |title=ISO/IEC 27005:2022|url=https://www.iso.org/standard/80585.html|access-date=2025-10-27|website=ISO|language=en}}</ref>

* OWASP Foundation. 2023. ”OWASP Web Security Testing Guide (WSTG).”<ref>{{Cite web |title=OWASP Web Security Testing Guide {{!}} OWASP Foundation|url=https://owasp.org/www-project-web-security-testing-guide/|access-date=2025-10-27|website=owasp.org|language=en}}</ref>

* OWASP Foundation. 2024/2025. ”OWASP Application Security Verification Standard (ASVS) 5.0.”<ref>{{Cite web |title=OWASP Application Security Verification Standard (ASVS) {{!}} OWASP Foundation|url=https://owasp.org/www-project-application-security-verification-standard/|access-date=2025-10-27|website=owasp.org|language=en}}</ref>

* Center for Internet Security. 2021. CIS Critical Security Controls v8. East Greenbush, NY: CIS.<ref>{{Cite web |title=CIS Controls Version 8|url=https://www.cisecurity.org/controls/v8/|access-date=2025-10-27|website=CIS|language=en}}</ref>

* The Open Group. 2020–2024. Open FAIR™ Body of Knowledge (O-RA / O-RT). San Francisco, CA: The Open Group.<ref>{{Cite web |title=The Open FAIR™ Body of Knowledge {{!}} www.opengroup.org|url=https://www.opengroup.org/open-fair|access-date=2025-10-27|website=www.opengroup.org|language=en}}</ref>

* National Institute of Standards and Technology. 2018. Risk Management Framework for Information Systems and Organizations (SP 800-37 Rev.2). Gaithersburg, MD: NIST.<ref>{{Cite report |url=https://csrc.nist.gov/pubs/sp/800/37/r2/final|title=Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy|last=Force|first=Joint Task|date=2018-12-20|publisher=National Institute of Standards and Technology|issue=NIST Special Publication (SP) 800-37 Rev. 2|language=en}}</ref>

* National Institute of Standards and Technology. 2020. ”Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5).” Gaithersburg, MD: NIST.<ref>{{Cite report|title=Security and Privacy Controls for Information Systems and Organizations|url=https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final|publisher=National Institute of Standards and Technology|date=2020-12-10|issue=NIST Special Publication (SP) 800-53 Rev. 5|language=en|first=Joint Task|last=Force}}</ref>

* National Institute of Standards and Technology. 2022. ”Assessing Security and Privacy Controls in Information Systems and Organizations: Building Effective Assessment Plans (SP 800-53A Rev. 5).” Gaithersburg, MD: NIST.<ref>{{Cite report|title=Assessing Security and Privacy Controls in Information Systems and Organizations|url=https://csrc.nist.gov/pubs/sp/800/53/a/r5/final|publisher=National Institute of Standards and Technology|date=2022-01-25|issue=NIST Special Publication (SP) 800-53A Rev. 5|language=en|first=Joint Task|last=Force}}</ref>

* National Institute of Standards and Technology. 2011. ”Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (SP 800-137).” Gaithersburg, MD: NIST.<ref>{{Cite report|title=Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations|url=https://csrc.nist.gov/pubs/sp/800/137/final|publisher=National Institute of Standards and Technology|date=2011-09-30|issue=NIST Special Publication (SP) 800-137|language=en|first=Kelley|last=Dempsey|first2=Nirali|last2=Chawla|first3=L.|last3=Johnson|first4=Ronald|last4=Johnston|first5=Alicia|last5=Jones|first6=Angela|last6=Orebaugh|first7=Matthew|last7=Scholl|first8=Kevin|last8=Stine}}</ref>

* National Institute of Standards and Technology. 2011. ”Managing Information Security Risk: Organization, Mission, and Information System View (SP 800-39).” Gaithersburg, MD: NIST.<ref>{{Cite report|title=Managing Information Security Risk: Organization, Mission, and Information System View|url=https://csrc.nist.gov/pubs/sp/800/39/final|publisher=National Institute of Standards and Technology|date=2011-03-01|issue=NIST Special Publication (SP) 800-39|language=en|first=Joint Task Force Transformation|last=Initiative}}</ref>

* National Institute of Standards and Technology. 2022. ”Secure Software Development Framework (SSDF): Recommendations for Mitigating Software Vulnerabilities (SP 800-218).” Gaithersburg, MD: NIST.<ref>{{Cite report|title=Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities|url=https://csrc.nist.gov/pubs/sp/800/218/final|publisher=National Institute of Standards and Technology|date=2022-02-03|issue=NIST Special Publication (SP) 800-218|language=en|first=Murugiah|last=Souppaya|first2=Karen|last2=Scarfone|first3=Donna|last3=Dodson}}</ref>

* International Organization for Standardization / International Electrotechnical Commission. 2022. ”ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements.” Geneva: ISO/IEC.<ref>{{Cite web|title=ISO/IEC 27001:2022|url=https://www.iso.org/standard/27001|website=ISO|access-date=2025-11-30|language=en}}</ref>

* International Organization for Standardization / International Electrotechnical Commission. 2022. ”ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls.” Geneva: ISO/IEC.<ref>{{Cite web|title=ISO/IEC 27002:2022|url=https://www.iso.org/standard/75652.html|website=ISO|access-date=2025-11-30|language=en}}</ref>

* International Organization for Standardization. 2018. ”ISO 31000:2018 — Risk management — Guidelines.” Geneva: ISO.<ref>{{Cite web|title=ISO 31000:2018|url=https://www.iso.org/standard/65694.html|website=ISO|access-date=2025-11-30|language=en}}</ref>

* International Organization for Standardization / International Electrotechnical Commission. 2018. ”ISO/IEC 19011:2018 — Guidelines for auditing management systems.” Geneva: ISO/IEC.<ref>{{Cite web|title=ISO 19011:2018|url=https://www.iso.org/standard/70017.html|website=ISO|access-date=2025-11-30|language=en}}</ref>

* OWASP Foundation. 2021. ”OWASP Top 10: The Ten Most Critical Web Application Security Risks (2021 Edition).” OWASP Foundation.<ref>{{Cite web|title=Introduction – OWASP Top 10:2025 RC1|url=https://owasp.org/Top10/A00_2021_Introduction/|website=owasp.org|access-date=2025-11-30}}</ref>

* OWASP Foundation. 2023. ”OWASP API Security Top 10 (2023 Edition).” OWASP Foundation.<ref>{{Cite web|title=OWASP API Security Top 10|url=https://owasp.org/API-Security/editions/2023/en/0x00-header/|website=owasp.org|access-date=2025-11-30}}</ref>

* European Union Agency for Cybersecurity (ENISA). 2016. ”Good Practices for Penetration Testing.” ENISA.<ref>{{Cite web|title=NIS2 Technical Implementation Guidance {{!}} ENISA|url=https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance|website=www.enisa.europa.eu|date=2025-09-16|access-date=2025-11-30|language=en}}</ref>

<references responsive=”1″></references>

<references responsive=”1″></references>

[[Category:Wikipedia Student Program]]

[[Category:Wikipedia Student Program]]

This is the sandbox page where you will draft your initial Wikipedia contribution. If you’re starting a new article, you can develop it here until it’s ready to go live. If you’re working on improvements to an existing article, copy only one section at a time of the article to this sandbox to work on, and be sure to use an edit summary linking to the article you copied from. Do not copy over the entire article. You can find additional instructions here. Remember to save your work regularly using the “Publish page” button. (It just means ‘save’; it will still be in the sandbox.) You can add bold formatting to your additions to differentiate them from existing content.

An information technology security assessment is a planned evaluation that checks how well security controls work and where they may be weak in a system or organization.

Common practice groups the work into three methods: examination of documents and settings, interviews with people, and testing under defined conditions.

The results are used to judge control effectiveness, confirm and prioritize technical findings, and plan fixes with a later verification or retest.

In this article I treat assessment as different from a risk assessment, which expresses risk using likelihood and impact, and also different from an audit.

• National Institute of Standards and Technology. 2008. Technical Guide to Information Security Testing and Assessment (SP 800-115). Gaithersburg, MD: NIST.^[1]
• National Institute of Standards and Technology. 2012. Guide for Conducting Risk Assessments (SP 800-30 Rev.1). Gaithersburg, MD: NIST.^[2]
• International Organization for Standardization. 2022. ISO/IEC 27005:2022 — Information security risk management. Geneva: ISO/IEC.^[3]
• OWASP Foundation. 2023. OWASP Web Security Testing Guide (WSTG).^[4]
• OWASP Foundation. 2024/2025. OWASP Application Security Verification Standard (ASVS) 5.0.^[5]
• Center for Internet Security. 2021. CIS Critical Security Controls v8. East Greenbush, NY: CIS.^[6]
• The Open Group. 2020–2024. Open FAIR™ Body of Knowledge (O-RA / O-RT). San Francisco, CA: The Open Group.^[7]
• National Institute of Standards and Technology. 2018. Risk Management Framework for Information Systems and Organizations (SP 800-37 Rev.2). Gaithersburg, MD: NIST.^[8]
• National Institute of Standards and Technology. 2020. Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5). Gaithersburg, MD: NIST.^[9]
• National Institute of Standards and Technology. 2022. Assessing Security and Privacy Controls in Information Systems and Organizations: Building Effective Assessment Plans (SP 800-53A Rev. 5). Gaithersburg, MD: NIST.^[10]
• National Institute of Standards and Technology. 2011. Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (SP 800-137). Gaithersburg, MD: NIST.^[11]
• National Institute of Standards and Technology. 2011. Managing Information Security Risk: Organization, Mission, and Information System View (SP 800-39). Gaithersburg, MD: NIST.^[12]
• National Institute of Standards and Technology. 2022. Secure Software Development Framework (SSDF): Recommendations for Mitigating Software Vulnerabilities (SP 800-218). Gaithersburg, MD: NIST.^[13]
• International Organization for Standardization / International Electrotechnical Commission. 2022. ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Geneva: ISO/IEC.^[14]
• International Organization for Standardization / International Electrotechnical Commission. 2022. ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls. Geneva: ISO/IEC.^[15]
• International Organization for Standardization. 2018. ISO 31000:2018 — Risk management — Guidelines. Geneva: ISO.^[16]
• International Organization for Standardization / International Electrotechnical Commission. 2018. ISO/IEC 19011:2018 — Guidelines for auditing management systems. Geneva: ISO/IEC.^[17]
• OWASP Foundation. 2021. OWASP Top 10: The Ten Most Critical Web Application Security Risks (2021 Edition). OWASP Foundation.^[18]
• OWASP Foundation. 2023. OWASP API Security Top 10 (2023 Edition). OWASP Foundation.^[19]
• European Union Agency for Cybersecurity (ENISA). 2016. Good Practices for Penetration Testing. ENISA.^[20]