User:HanYao510/Information technology security assessment: Difference between revisions

By /

 

 

Line 15: Line 15:

=== References ===

=== References ===

* National Institute of Standards and Technology. 2008. ”Technical Guide to Information Security Testing and Assessment (SP 800-115).” Gaithersburg, MD: NIST.<ref>{{Cite report |url=https://csrc.nist.gov/pubs/sp/800/115/final|title=Technical Guide to Information Security Testing and Assessment|last=Scarfone|first=Karen|last2=Souppaya|first2=Murugiah|last3=Cody|first3=Amanda|last4=Orebaugh|first4=Angela|date=2008-09-30|publisher=National Institute of Standards and Technology|issue=NIST Special Publication (SP) 800-115|language=en}}</ref>

* National Institute of Standards and Technology. 2012. ”Guide for Conducting Risk Assessments (SP 800-30 Rev.1).” Gaithersburg, MD: NIST.<ref>{{Cite report |url=https://csrc.nist.gov/pubs/sp/800/30/r1/final|title=Guide for Conducting Risk Assessments|last=Initiative|first=Joint Task Force Transformation|date=2012-09-17|publisher=National Institute of Standards and Technology|issue=NIST Special Publication (SP) 800-30 Rev. 1|language=en}}</ref>

* International Organization for Standardization. 2022. ”ISO/IEC 27005:2022 — Information security risk management.” Geneva: ISO/IEC.<ref>{{Cite web |title=ISO/IEC 27005:2022|url=https://www.iso.org/standard/80585.html|access-date=2025-10-27|website=ISO|language=en}}</ref>

* OWASP Foundation. 2023. ”OWASP Web Security Testing Guide (WSTG).”<ref>{{Cite web |title=OWASP Web Security Testing Guide {{!}} OWASP Foundation|url=https://owasp.org/www-project-web-security-testing-guide/|access-date=2025-10-27|website=owasp.org|language=en}}</ref>

* OWASP Foundation. 2024/2025. ”OWASP Application Security Verification Standard (ASVS) 5.0.”<ref>{{Cite web |title=OWASP Application Security Verification Standard (ASVS) {{!}} OWASP Foundation|url=https://owasp.org/www-project-application-security-verification-standard/|access-date=2025-10-27|website=owasp.org|language=en}}</ref>

* Center for Internet Security. 2021. CIS Critical Security Controls v8. East Greenbush, NY: CIS.<ref>{{Cite web |title=CIS Controls Version 8|url=https://www.cisecurity.org/controls/v8/|access-date=2025-10-27|website=CIS|language=en}}</ref>

* The Open Group. 2020–2024. Open FAIR™ Body of Knowledge (O-RA / O-RT). San Francisco, CA: The Open Group.<ref>{{Cite web |title=The Open FAIR™ Body of Knowledge {{!}} www.opengroup.org|url=https://www.opengroup.org/open-fair|access-date=2025-10-27|website=www.opengroup.org|language=en}}</ref>

* National Institute of Standards and Technology. 2018. Risk Management Framework for Information Systems and Organizations (SP 800-37 Rev.2). Gaithersburg, MD: NIST.<ref>{{Cite report |url=https://csrc.nist.gov/pubs/sp/800/37/r2/final|title=Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy|last=Force|first=Joint Task|date=2018-12-20|publisher=National Institute of Standards and Technology|issue=NIST Special Publication (SP) 800-37 Rev. 2|language=en}}</ref>

* National Institute of Standards and Technology. 2020. ”Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5).” Gaithersburg, MD: NIST.<ref>{{Cite report|title=Security and Privacy Controls for Information Systems and Organizations|url=https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final|publisher=National Institute of Standards and Technology|date=2020-12-10|issue=NIST Special Publication (SP) 800-53 Rev. 5|language=en|first=Joint Task|last=Force}}</ref>

* National Institute of Standards and Technology. 2022. ”Assessing Security and Privacy Controls in Information Systems and Organizations: Building Effective Assessment Plans (SP 800-53A Rev. 5).” Gaithersburg, MD: NIST.<ref>{{Cite report|title=Assessing Security and Privacy Controls in Information Systems and Organizations|url=https://csrc.nist.gov/pubs/sp/800/53/a/r5/final|publisher=National Institute of Standards and Technology|date=2022-01-25|issue=NIST Special Publication (SP) 800-53A Rev. 5|language=en|first=Joint Task|last=Force}}</ref>

* National Institute of Standards and Technology. 2011. ”Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (SP 800-137).” Gaithersburg, MD: NIST.<ref>{{Cite report|title=Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations|url=https://csrc.nist.gov/pubs/sp/800/137/final|publisher=National Institute of Standards and Technology|date=2011-09-30|issue=NIST Special Publication (SP) 800-137|language=en|first=Kelley|last=Dempsey|first2=Nirali|last2=Chawla|first3=L.|last3=Johnson|first4=Ronald|last4=Johnston|first5=Alicia|last5=Jones|first6=Angela|last6=Orebaugh|first7=Matthew|last7=Scholl|first8=Kevin|last8=Stine}}</ref>

* National Institute of Standards and Technology. 2011. ”Managing Information Security Risk: Organization, Mission, and Information System View (SP 800-39).” Gaithersburg, MD: NIST.<ref>{{Cite report|title=Managing Information Security Risk: Organization, Mission, and Information System View|url=https://csrc.nist.gov/pubs/sp/800/39/final|publisher=National Institute of Standards and Technology|date=2011-03-01|issue=NIST Special Publication (SP) 800-39|language=en|first=Joint Task Force Transformation|last=Initiative}}</ref>

* National Institute of Standards and Technology. 2022. ”Secure Software Development Framework (SSDF): Recommendations for Mitigating Software Vulnerabilities (SP 800-218).” Gaithersburg, MD: NIST.<ref>{{Cite report|title=Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities|url=https://csrc.nist.gov/pubs/sp/800/218/final|publisher=National Institute of Standards and Technology|date=2022-02-03|issue=NIST Special Publication (SP) 800-218|language=en|first=Murugiah|last=Souppaya|first2=Karen|last2=Scarfone|first3=Donna|last3=Dodson}}</ref>

* International Organization for Standardization / International Electrotechnical Commission. 2022. ”ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements.” Geneva: ISO/IEC.<ref>{{Cite web|title=ISO/IEC 27001:2022|url=https://www.iso.org/standard/27001|website=ISO|access-date=2025-11-30|language=en}}</ref>

* International Organization for Standardization / International Electrotechnical Commission. 2022. ”ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls.” Geneva: ISO/IEC.<ref>{{Cite web|title=ISO/IEC 27002:2022|url=https://www.iso.org/standard/75652.html|website=ISO|access-date=2025-11-30|language=en}}</ref>

* International Organization for Standardization. 2018. ”ISO 31000:2018 — Risk management — Guidelines.” Geneva: ISO.<ref>{{Cite web|title=ISO 31000:2018|url=https://www.iso.org/standard/65694.html|website=ISO|access-date=2025-11-30|language=en}}</ref>

* International Organization for Standardization / International Electrotechnical Commission. 2018. ”ISO/IEC 19011:2018 — Guidelines for auditing management systems.” Geneva: ISO/IEC.<ref>{{Cite web|title=ISO 19011:2018|url=https://www.iso.org/standard/70017.html|website=ISO|access-date=2025-11-30|language=en}}</ref>

* OWASP Foundation. 2021. ”OWASP Top 10: The Ten Most Critical Web Application Security Risks (2021 Edition).” OWASP Foundation.<ref>{{Cite web|title=Introduction – OWASP Top 10:2025 RC1|url=https://owasp.org/Top10/A00_2021_Introduction/|website=owasp.org|access-date=2025-11-30}}</ref>

* OWASP Foundation. 2023. ”OWASP API Security Top 10 (2023 Edition).” OWASP Foundation.<ref>{{Cite web|title=OWASP API Security Top 10|url=https://owasp.org/API-Security/editions/2023/en/0x00-header/|website=owasp.org|access-date=2025-11-30}}</ref>

* European Union Agency for Cybersecurity (ENISA). 2016. ”Good Practices for Penetration Testing.” ENISA.<ref>{{Cite web|title=NIS2 Technical Implementation Guidance {{!}} ENISA|url=https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance|website=www.enisa.europa.eu|date=2025-09-16|access-date=2025-11-30|language=en}}</ref>

<references responsive=”1″></references>

<references responsive=”1″></references>

[[Category:Wikipedia Student Program]]

[[Category:Wikipedia Student Program]]

An information technology security assessment is a planned evaluation that checks how well security controls work and where they may be weak in a system or organization.

Common practice groups the work into three methods: examination of documents and settings, interviews with people, and testing under defined conditions.

The results are used to judge control effectiveness, confirm and prioritize technical findings, and plan fixes with a later verification or retest.

In this article I treat assessment as different from a risk assessment, which expresses risk using likelihood and impact, and also different from an audit.

  • National Institute of Standards and Technology. 2008. Technical Guide to Information Security Testing and Assessment (SP 800-115). Gaithersburg, MD: NIST.[1]
  • National Institute of Standards and Technology. 2012. Guide for Conducting Risk Assessments (SP 800-30 Rev.1). Gaithersburg, MD: NIST.[2]
  • International Organization for Standardization. 2022. ISO/IEC 27005:2022 — Information security risk management. Geneva: ISO/IEC.[3]
  • OWASP Foundation. 2023. OWASP Web Security Testing Guide (WSTG).[4]
  • OWASP Foundation. 2024/2025. OWASP Application Security Verification Standard (ASVS) 5.0.[5]
  • Center for Internet Security. 2021. CIS Critical Security Controls v8. East Greenbush, NY: CIS.[6]
  • The Open Group. 2020–2024. Open FAIR™ Body of Knowledge (O-RA / O-RT). San Francisco, CA: The Open Group.[7]
  • National Institute of Standards and Technology. 2018. Risk Management Framework for Information Systems and Organizations (SP 800-37 Rev.2). Gaithersburg, MD: NIST.[8]
  • National Institute of Standards and Technology. 2020. Security and Privacy Controls for Information Systems and Organizations (SP 800-53 Rev. 5). Gaithersburg, MD: NIST.[9]
  • National Institute of Standards and Technology. 2022. Assessing Security and Privacy Controls in Information Systems and Organizations: Building Effective Assessment Plans (SP 800-53A Rev. 5). Gaithersburg, MD: NIST.[10]
  • National Institute of Standards and Technology. 2011. Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (SP 800-137). Gaithersburg, MD: NIST.[11]
  • National Institute of Standards and Technology. 2011. Managing Information Security Risk: Organization, Mission, and Information System View (SP 800-39). Gaithersburg, MD: NIST.[12]
  • National Institute of Standards and Technology. 2022. Secure Software Development Framework (SSDF): Recommendations for Mitigating Software Vulnerabilities (SP 800-218). Gaithersburg, MD: NIST.[13]
  • International Organization for Standardization / International Electrotechnical Commission. 2022. ISO/IEC 27001:2022 — Information security, cybersecurity and privacy protection — Information security management systems — Requirements. Geneva: ISO/IEC.[14]
  • International Organization for Standardization / International Electrotechnical Commission. 2022. ISO/IEC 27002:2022 — Information security, cybersecurity and privacy protection — Information security controls. Geneva: ISO/IEC.[15]
  • International Organization for Standardization. 2018. ISO 31000:2018 — Risk management — Guidelines. Geneva: ISO.[16]
  • International Organization for Standardization / International Electrotechnical Commission. 2018. ISO/IEC 19011:2018 — Guidelines for auditing management systems. Geneva: ISO/IEC.[17]
  • OWASP Foundation. 2021. OWASP Top 10: The Ten Most Critical Web Application Security Risks (2021 Edition). OWASP Foundation.[18]
  • OWASP Foundation. 2023. OWASP API Security Top 10 (2023 Edition). OWASP Foundation.[19]
  • European Union Agency for Cybersecurity (ENISA). 2016. Good Practices for Penetration Testing. ENISA.[20]
  1. ^ Scarfone, Karen; Souppaya, Murugiah; Cody, Amanda; Orebaugh, Angela (2008-09-30). Technical Guide to Information Security Testing and Assessment (Report). National Institute of Standards and Technology.
  2. ^ Initiative, Joint Task Force Transformation (2012-09-17). Guide for Conducting Risk Assessments (Report). National Institute of Standards and Technology.
  3. ^ “ISO/IEC 27005:2022”. ISO. Retrieved 2025-10-27.
  4. ^ “OWASP Web Security Testing Guide | OWASP Foundation”. owasp.org. Retrieved 2025-10-27.
  5. ^ “OWASP Application Security Verification Standard (ASVS) | OWASP Foundation”. owasp.org. Retrieved 2025-10-27.
  6. ^ “CIS Controls Version 8”. CIS. Retrieved 2025-10-27.
  7. ^ “The Open FAIR™ Body of Knowledge | www.opengroup.org”. www.opengroup.org. Retrieved 2025-10-27.
  8. ^ Force, Joint Task (2018-12-20). Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (Report). National Institute of Standards and Technology.
  9. ^ Force, Joint Task (2020-12-10). Security and Privacy Controls for Information Systems and Organizations (Report). National Institute of Standards and Technology.
  10. ^ Force, Joint Task (2022-01-25). Assessing Security and Privacy Controls in Information Systems and Organizations (Report). National Institute of Standards and Technology.
  11. ^ Dempsey, Kelley; Chawla, Nirali; Johnson, L.; Johnston, Ronald; Jones, Alicia; Orebaugh, Angela; Scholl, Matthew; Stine, Kevin (2011-09-30). Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (Report). National Institute of Standards and Technology.
  12. ^ Initiative, Joint Task Force Transformation (2011-03-01). Managing Information Security Risk: Organization, Mission, and Information System View (Report). National Institute of Standards and Technology.
  13. ^ Souppaya, Murugiah; Scarfone, Karen; Dodson, Donna (2022-02-03). Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities (Report). National Institute of Standards and Technology.
  14. ^ “ISO/IEC 27001:2022”. ISO. Retrieved 2025-11-30.
  15. ^ “ISO/IEC 27002:2022”. ISO. Retrieved 2025-11-30.
  16. ^ “ISO 31000:2018”. ISO. Retrieved 2025-11-30.
  17. ^ “ISO 19011:2018”. ISO. Retrieved 2025-11-30.
  18. ^ “Introduction – OWASP Top 10:2025 RC1”. owasp.org. Retrieved 2025-11-30.
  19. ^ “OWASP API Security Top 10”. owasp.org. Retrieved 2025-11-30.
  20. ^ “NIS2 Technical Implementation Guidance | ENISA”. www.enisa.europa.eu. 2025-09-16. Retrieved 2025-11-30.

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *

Exit mobile version