Application Of The Nsa Infosec Assessment Methodology

SA's INFOSEC Assessment Methodology (IAM) is a standardized baseline analysis for information security (INFOSEC) used to meet the assessment requirement levied by PDD 63. The IAM grew out of NSA's experience conducting information systems security inspections for its government customers over a span of fifteen years. The assessment is a systematic, comprehensive evaluation of a company or agency's information system strengths and vulnerabilities. The IAM includes detailed recommendations to eliminate or mitigate any security issues identified by the assessment. Because the market created for the IAM vulnerability assessments by PDD 63 is very large, NSA does not have the resources to perform all of the requested assessments. Accordingly, NSA has responded by developing the two-part INFOSEC Assessment Training and Rating Program (IATRP). The first part of the IATRP is a course designed to train INFOSEC professionals in the IAM; the second part is an appraisal of INFOSEC Assessment Capability Maturity Model (IA-CMM) which NSA conducts for service providers who wish to be rated on their ability to conduct NSA IAM assessments (Digital Knowledge). This paper will look at the structure of the NSA INFOSEC Assessment Methodology and provide an example of the use of the IAM for a fictitious firm.