HackingTheUniverse

We want to trust that the measures we take to protect our information systems are working. But we need concrete reasons to hold that trust. We need proof that our defensive controls are doing the job and are actually protecting the system. Those reasons and that proof are known as “Assurance”.

Trust tends to be more subjective than objective. In a complex information system, trust is derived from a series of consistent interactions and production of consistent output from many trusted components. Security capability is delivered by the functional effectiveness of our security controls. We need to have the means to continually monitor and measure the level of effectiveness in order to build the confidence that we can trust.

The initial purpose of security controls is to provide function and build capability. But many of them also supply the means to measure effectiveness. And some controls can be designed primarily to provide the evidence that creates assurance. The most recent revision (rev 4) of NIST SP 800-53 has added a matrix of “Assurance Controls” that have been selected for their ability to produce evidence that contributes to confidence of security capability.

The following is a list of areas that often provide some evidence of effective functioning of security controls:

• Well defined security policies
• Good development techniques
• Security engineering principles
• Configuration settings
• System scanning and monitoring
• Remediation reports
• Security assessment reports