Assessments are a way to increase information technology (IT) security for the University of Tennessee. Assessments are done in cooperation with the system owners and are helpful in making the system owners aware of IT security issues that may exist with their assets. The assessment methodology is a six step process.
1. Assessment Planning
- This includes initial research of university policies and procedures, applicable laws, and security best practices. Then the Information Security Office (ISO) creates a scope document, which is then signed by the system owner. The ISO next determines an assessment strategy–the what and how–and creates an assessment checklist.
2. Entrance Conference
- In the entrance conference management, system owner(s), system administrator(s), and ISO assessment team should be in attendance. The scope document will be covered at this meeting as well as the assessment process, assessment roles, and the time frame for the assessment.
- Fieldwork is done in a systematic manner according to the previously developed checklist. The ISO reports new issues in a timely and professional manner to the system owner/administrator as defined in the scope document. The ISO also documents all security issues and includes them in the assessment report delivered at the end of the assessment.
4. Preparing the Report
- The Assessment Report should include an Executive Summary which describes the purpose and scope of the assessment, findings and recommendations for their resolution, and a conclusion.
- A draft report should be reviewed and commented on by the system owner/administrator prior to the exit conference.
5. Exit Conference
- Management, system owner(s), system administrator(s), and the assessment team should attend the exit conference. The purpose of the conference is to review the report, assign tasks for remediation/mitigation and to establish a schedule for future assessments
6. Report to Management
- The report to management will include a presentation of the executive summary and the status of mitigation/remediation efforts followed by discussion and/or questions.