Page 1076 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1076
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-
53Ar4.pdf
Under NIST 800-53A, assessments include four components.
Specifications are the documents associated with the system
being audited. Specifications generally include policies,
procedures, requirements, specifications, and designs.
Mechanisms are the controls used within an information
system to meet the specifications. Mechanisms may be based in
hardware, software, or firmware.
Activities are the actions carried out by people within an
information system. These may include performing backups,
exporting log files, or reviewing account histories.
Individuals are the people who implement specifications,
mechanisms, and activities.
When conducting an assessment, assessors may examine any of
the four components listed here. They may also interview
individuals and perform direct tests to determine the effectiveness
of controls.
Security Audits
Security audits use many of the same techniques followed during
security assessments but must be performed by independent auditors.
While an organization’s security staff may routinely perform security
tests and assessments, this is not the case for audits. Assessment and
testing results are meant for internal use only and are designed to
evaluate controls with an eye toward finding potential improvements.
Audits, on the other hand, are evaluations performed with the purpose
of demonstrating the effectiveness of controls to a third party. The
staff who design, implement, and monitor controls for an organization
have an inherent conflict of interest when evaluating the effectiveness
of those controls.
Auditors provide an impartial, unbiased view of the state of security
controls. They write reports that are quite similar to security
