In-House Risk Based Security Control Assessments (SCA) Process

This video is about implementing and managing technology security control assessments in large organizations primarily involved in federal and/or healthcare contracts, portions of which can be useful for organizations of any size that are faced with responsibility for their own risk or compliance regiments.

Dr. Jerry Craig reviews a new process in which Security Controls Assessments (SCA) are managed and operated by in-house assessor teams—which allow the federal government to reduce engagement periods and costs; perform continuous monitoring and risk-based system vulnerabilities analysis; develop deeper knowledge into control families and individual controls; gain greater visibility into systems, perform and most importantly result in the ability to stand in a defensible position in the event of a data breach.

The event occurred during the October 7th meeting of the Southwest CyberSec Forum at University of Advancing Technology in Tempe, AZ.

Table of Contents:

Introduction 0:11
Major Experience 1:28
Core Questions 3:00

What is an SCA? 4:23
What Do Restaurants & SCAs Have in Common? 5:42
What is Adaptive Capabilities Testing? 7:17
ACT Snapshot Analogy (Goal) 7:44
SCA/ACT Information Source Comparison 8:24
Failed Controls vs. Mapping Example 14:18

Alignment of Controls & Testing 17:49
Control Family Test Plans 18:32
Benefits of Aligned Test Plans 19:19
Funding Approaches 20:55
System of Record vs. Piecemeal 23:09
Conflict of Interest 24:50
Staffing for Success 25:42
Mowing the Lawn 31:05

DHS CDM Phases & Approach 32:46
Continuous Monitoring 33:51
Individual Control Family Deep Dives 36:38
Cost Savings 39:42
Bringing on Contractor Labor vs. In-House Labor (FTEs) 40:44
Lessons Learned 41:47

About Ventech Solutions 44:51
Our Core Strengths
Key HIDS Program Achievements
Full Security Suite