CCI-001582

The organization defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; and performance/load testing that should be included as part of security control assessments.

Implementation Guidance

The organization being inspected/assessed defines and documents other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments. DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented other forms of security assessments to ensure the organization being inspected/assessed defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments. DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) Signed and dated Security Assessment Plan that defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing. 2.) Audit log documentation that supports other forms of security assessments.

The controls below (if any) were marked by NIST as being related to CCI-001582.