Vice President, Operations
Implementing effective security controls for information systems is a vital and complex undertaking. All Federal agencies require cybersecurity control measures in one form or another – and assessing their effectiveness is a challenge.Due to the complex and quickly evolving nature of cybersecurity threats, it can be difficult to accurately estimate the effectiveness of new or existing security control systems. To evaluate the potential vulnerabilities in a security system, organizations often perform security assessments. To guide and document security assessments, organizations perform security assessments that involve generating a Security Assessment Report (SAR). These reports provide a summarization of assessment findings and corrective recommendations. To expedite the assessment process, templates can be leveraged to help compile findings as well as guide the assessment itself. In this article, we’ll explore the security assessment process, the elements of a typical SAR, and where you can find a time-saving SAR template to use for your Federal agency.
What is a Security Assessment Report (SAR)?A Security Assessment Report (SAR), is a document that presents the findings from security assessments and provides recommendations to address any vulnerabilities or deficiencies found. These security assessments (and the associated generation of SARs) typically occur both at the initial deployment of control systems as well as during periodic checkpoints throughout the life of the control system.
How do you prepare a Security Assessment Report (SAR)?The preparation of the SAR occurs as a result of the security assessment itself and therefore is dependent on conducting the security assessment. Completing a security assessment (and preparing a SAR) typically follows a 6-step process:
1. Select a SAR templateYour organization may already have a SAR template to use, but if not, finding a SAR template can drastically improve the efficiency of both generating the report and completing the assessment. You could find a template once the assessment was completed and you were ready to write the SAR, but understanding the content of a SAR often helps to guide the assessment process. It may also be more efficient to fill in the SAR template as the assessment progresses which helps to ensure relevant information is documented promptly.
2. Identify assets and current control systemsThe goal of this step is to answer what information systems are utilized by your organization and how you are currently protecting them. Gathering relevant system information will give you a baseline for your current security system.
3. Identify potential threats to these assetsNext, identify what potential threats apply to the assets in your organization. Typically, this threat identification is done in isolation from the current security controls your organization has in place.
4. Compare potential threats to the control systems in placeUsing the information gathered in steps 2 and 3, compare the potential threats to your assets against the security controls your system has in place. Any threats not fully mitigated by a current security system are potential vulnerabilities. You may also wish to rank the vulnerabilities based on probability and severity.
5. Determine control recommendationsAnalyze the vulnerabilities identified in step 4 to determine optimal control recommendations to mitigate these vulnerabilities. This step may require a deep dive into control options to determine the best course of action for controlling or eliminating vulnerabilities based on your organization’s systems and needs.
6. Compile findings in the SAR documentThe last step in the process is compiling the information gathered throughout the assessment into the SAR document. As mentioned in step 1, the SAR could also be compiled throughout the assessment process.
Everything that needs to be included in a SAR (with examples)The contents of a SAR will depend upon a variety of factors such as information system type and complexity, frequency of security assessments, and organization size. With this in mind, there are a few key sections that all SARs should likely contain in one form or another.
Assessment SummaryAs detailed as the SAR may be, the document is only useful if the relevant information is conveyed to the key stakeholders. The assessment summary provides a concise overview of the assessment findings without providing all of the supporting details. This provides a “snap-shot” of the assessment such that a person reading the summary would have a good understanding of the key information and outcomes without having to read the rest of the report. Assessment summaries can be organized in many different ways, but a key piece of information that should be included is a breakdown of the risks identified and their corresponding risk level/category. One effective method of showing this is with a simple breakdown table, which is demonstrated in the IPKeys SAR Template and shown below in Figure 1.
Figure 1: Risk Summary Table (IPKeys SAR Template)