Need to perform an internal IT security audit against NIST 800-53 rev4?
In an effort to make it easy to assess how an organization is doing against industry best practices, specifically NIST 800-53 Rev 4, we developed an IT security audit template that can guide an organization through doing a self-audit / assessment.
The NIST 800-53 Rev 4 Information Security Assessment Template can be used by any organization that wants to evaluate itself against best practices. The goal is to identify gaps that require remediation, as well as to identify what is working well to maintain those processes. Security controls are synonymous with standards. Security controls have a well-defined organization and structure. Security controls are organized into classes and families for ease of use in the control selection and specification process. These classes of controls have subordinate families of controls.
While they sometimes have overlapping coverage, as visualized below, the end product is a comprehensive Information Security program that will serve your company well.
View An Example IT Security Assessment Template
This template is really meant to help in the assessment of IT security readiness. This version is specific to NIST 800-53 rev4.
How do you think your company measures up?
PURPOSE The purpose of this audit is to review your company’s due care and due diligence documentation and procedures, in an effort to identify areas of technology management that do not meet industry-recognized best practices and develop a plan to correct those deficiencies. This template is based on the NIST 800-53 revision 4 control set.
SCOPE The scope of this audit is intended to cover all business-supported technologies at all geographic locations, including outsourcing arrangements.
AUDIT CONTROLS There are five (5) general classes of security control objectives and these classes are further broken down into twenty-six (26) families of security control objective.
Common control objectives address information security program-level security topics.
These common control objectives establish the overall framework for management, operational and technical controls.
Management control objectives address techniques and concerns that are normally addressed by management in your company's information security program.
In general, Management control objectives focus on the management of the information security program and the management of risk within your company.
Operational control objectives address techniques and concerns that are generally implemented and executed by people, as opposed to systems, that are put in place to improve the security of a particular system or group of systems.
Operational control objectives often require technical or specialized expertise; often relying upon management activities as well as technical controls.
Technical control objectives address processes and concerns that a computer system executes.
Technical control objectives are dependent upon the proper functioning of the system for their effectiveness and therefore require significant operational considerations.
Privacy control objectives address Personally Identifiable Information (PII).
Privacy control objectives are dependent upon the proper functioning of the other classes of controls for their effectiveness and therefore require significant operational considerations.