Security Assessments
by Tara Lemieux
1. CA.L2-3.12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
1.1. "Determine if:
1.2. (a) the frequency of security control assessments is defined"
1.3. (b) security controls are assessed with the defined frequency to determine if the controls are effective in their application"
2. CA.L2-3.12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
2.1. "Determine if:
2.1.1. Driven by, RA.L2-3.11.1 which promotes periodically assessing risk to organizational systems
2.2. (a) deficiencies and vulnerabilities to be addressed by the plan of action are identified"
2.3. (b) a plan of action is developed to correct identified deficiencies and reduce or eliminate identified vulnerabilities"
2.4. (c) the plan of action is implemented to correct identified deficiencies and reduce or eliminate identified vulnerabilities"
3. CA.L2-3.12.3 Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
3.1. Determine if:
3.2. (a) security controls are monitored on an ongoing basis to ensure the continued effectiveness of those controls"
4. CA.L2-3.12.4 Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
4.1. "Determine if:
4.1.1. SC.L203.13.2: This practice promotes effective information security within organizational systems required by SC.L2-3.13.2, as well as other system and communications protection practices