A security control assessment (SCA) is the formal evaluation of a security infrastructure's individual mechanisms against a baseline or reliability expectation. The SCA can be performed in addition to or independently of a full security evaluation, such as a penetration test or vulnerability assessment.
安全控制评估(SCA)是根据基线或可靠性预期对安全基础设施的各个机制进行的正式评估。安全控制评估可以在全面安全评估(如渗透测试或漏洞评估)之外进行,也可以独立于全面安全评估进行。
The goals of an SCA are to ensure the effectiveness of the security mechanisms, evaluate the quality and thoroughness of the risk management processes of the organization, and produce a report of the relative strengths and weaknesses of the deployed security infrastructure. The results of an SCA may confirm that a security mechanism has sustained its previous level of verified effectiveness or that action must be taken to address a deficient security control. In addition to verifying the reliability of security controls, an assessment should consider whether security controls affect privacy. Some controls may improve privacy protection whereas others may in fact cause a breach of privacy. The privacy aspect of a security control should be evaluated in light of regulations, contractual obligations, and the organization's privacy policy/promise.
SCA 的目标是确保安全机制的有效性,评估组织风险管理程序的质量和彻底性,并就已部署的安全基础设施的相对优缺点提出报告。SCA 的结果可能会确认某个安全机制保持了先前的验证有效性水平,或者必须采取行动解决安全控制方面的缺陷。有些控制措施可能会加强隐私保护,而有些控制措施则可能会导致隐私泄露。应根据法规、合同义务和组织的隐私政策/承诺来评估安全控制的隐私方面。
Generally, an SCA is a process implemented by federal agencies based on NIST SP 800-53Rev. 5, titled “Security and Privacy Controls for Information Systems and Organizations” ( csrc.nist.gov/publications/detail/sp/800-53/rev-5/final). However, though defined as a government process, the concept of evaluating the reliability and effectiveness of security controls should be adopted by every organization that is committed to sustaining a successful security endeavor.
一般而言,SCA 是联邦机构根据 NIST SP 800-53Rev. 5实施的一个流程。(标题为 "信息系统和组织的安全和隐私控制")(csrc.nist.gov/publications/detail/sp/800-53/rev-5/final)不过,尽管评估安全控制的可靠性和有效性被定义为一个政府程序,但每一个致力于维持成功安全努力的组织都应采用这一概念。
原文始发于微信公众号(网络安全等保测评):Security Control Assessment
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论