CCI-001582

Defines other forms of control assessments other than in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment; performance and load testing; data leakage or data loss assessment that should be included as part of the control assessments.

Implementation Guidance

The organization being inspected/assessed defines and documents other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments. DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented other forms of security assessments to ensure the organization being inspected/assessed defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing that should be included as part of security control assessments. DoD has determined the other forms of security assessments are not appropriate to define at the Enterprise level.

Compelling Evidence

1.) Signed and dated Security Assessment Plan that defines other forms of security assessments other than in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment and performance/load testing. 2.) Audit log documentation that supports other forms of security assessments.

The controls below (if any) were marked by NIST as being related to CCI-001582.