No, you didn’t find it!
You are “Other than satisfied (O)”
This is part of the new (and excellent if you forget the above approach) NIST Special Publication 800-53A, Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans (Initial Public Draft).
We read: “After the security assessment plan or privacy assessment plan is approved by the organization, the assessor(s) or assessment team executes the plan in accordance with the agreed-upon schedule.”
“Each determination statement contained within an assessment procedure executed by an assessor produces one of the following findings:
(i) satisfied (S); or
(ii) other than satisfied (O).
A finding of satisfied indicates that for the portion of the security or privacy control addressed by the determination statement, the assessment information obtained (i.e., evidence collected) indicates that the assessment objective for the control has been met producing a fully acceptable result.
A finding of other than satisfied indicates that for the portion of the security or privacy control addressed by the determination statement, the assessment information obtained indicates potential anomalies in the operation or implementation of the control that may need to be addressed by the organization.
A finding of other than satisfied may also indicate that for reasons specified in the assessment report, the assessor was unable to obtain sufficient information to make the particular determination called for in the determination statement.”
I can’t imagine how we could use this approach in the Basel iii framework… We have “fit and proper (FP) employees” and “Other than fit and proper employees (O)”? (O) Like zero? Hero or zero? No, it is not working in Basel iii. It is not black or white.
Again, the rest is an excellent document.
“Security control assessments and privacy control assessments are not about checklists, simple pass-fail results, or generating paperwork to pass inspections or audits—rather, such assessments are the principal vehicle used to verify that implemented security controls and privacy controls are meeting their stated goals and objectives.”
Also: “Organizations should carefully consider the potential impacts of employing the assessment procedures defined in this Special Publication when assessing the security and privacy controls in operational systems.
Certain assessment procedures, particularly those procedures that directly impact the operation or function of the hardware, software, or firmware components of an information system, may inadvertently affect the routine processing, transmission, or storage of information supporting organizational missions or business functions.
For example, a critical information system component may be taken offline for assessment purposes or a component may suffer a fault or failure during the assessment process.
Organizations should also take the necessary precautions to ensure that organizational missions and business functions continue to be supported by information systems and that any potential impacts to operational effectiveness resulting from assessment activities are considered in advance”.
Read more at Number 4 below.
Welcome to the Top 10 list.