Application Of The Nsa Infosec Assessment Methodology
SA's INFOSEC Assessment Methodology (IAM) is a standardized baseline analysis for information security (INFOSEC) used to meet the assessment requirement levied by PDD 63. The IAM grew out of NSA's experience conducting information systems security inspections for its government customers over a span of fifteen years. The assessment is a systematic, comprehensive evaluation of a company or agency's information system strengths and vulnerabilities. The IAM includes detailed recommendations to eliminate or mitigate any security issues identified by the assessment. Because the market created for the IAM vulnerability assessments by PDD 63 is very large, NSA does not have the resources to perform all of the requested assessments. Accordingly, NSA has responded by developing the two-part INFOSEC Assessment Training and Rating Program (IATRP). The first part of the IATRP is a course designed to train INFOSEC professionals in the IAM; the second part is an appraisal of INFOSEC Assessment Capability Maturity Model (IA-CMM) which NSA conducts for service providers who wish to be rated on their ability to conduct NSA IAM assessments (Digital Knowledge). This paper will look at the structure of the NSA INFOSEC Assessment Methodology and provide an example of the use of the IAM for a fictitious firm.
1045 (PDF, 1.85MB)
23 May 2003Related Content
2026 Cybersecurity Workforce Research Report by SANS | GIAC
Research PaperThe cybersecurity workforce is at a turning point. AI is transforming how work gets done, regulators are redefining ‘qualified,’ and organizations are recognizing that the right skills, not headcount, are what drive success. As AI reshapes the cyber workforce, this report helps leaders make informed decisions and shows practitioners where skills and careers are heading.
- 11 Mar 2026
- SANS Institute, GIAC Certifications
A Startups Guide to Implementing a Security Program
Research PaperStartups struggle to balance survival with the practical implementation of a security program. There...
- 8 Oct 2020
Putting it all together through Automation
Research PaperMost problems faced in Information Security are typically time sensitive. For Forensic Engineers and...
- 22 Apr 2019
Information Security Best Practices While Managing Projects
Research PaperTo maximize long-term return on investment (ROI) with a project's delivery, taking information...
- 25 Mar 2019
Logon Banners
Research PaperLogon banners have been a common feature of operating systems and applications for many years....
- 20 Mar 2019
Security Considerations for Team Based Password Managers
Research PaperPassword management applications are a common and practical way to store complex passwords. They use...
- 23 Jul 2018
Content Security Policy in Practice
Research PaperThe implementation of Content Security Policy to leverage web browser capability in protecting a web...
- 6 Jul 2018
Agile Security Patching
Research PaperSecurity Patch Management is one of the biggest security and compliance challenges for organizations...
- 3 May 2018
Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform
Research PaperJust how scalable, fast and accurate are SIEM tools when under load? To find out, we put the...
- 13 Apr 2017
- Dave Shackleford
Bill Gates and Trustworthy Computing: A Case Study in Transformational Leadership
Research PaperThe notion that IT security is a serious issue is non-controversial. The market for cybersecurity...
- 20 Sep 2016
Filling the Gaps
Research PaperThere should be an emphasis on the importance of regular internal and external auditing focusing on...
- 18 Aug 2016
Investing in Information Security: A Case Study in Community Banking
Research PaperSmall businesses, such as community banks, often do not have resources dedicated to information...
- 12 Aug 2016
Introduction to Rundeck for Secure Script Executions
Research PaperMany organizations today support physical, virtual, and cloud-based systems across a wide range of...
- 11 Aug 2016
Using Information Security as an Auditing Tool
Research PaperAs cyber-attacks are gaining visibility within mainstream media, what once was knowledge for...
- 14 Jul 2016
Applying Data Analytics on Vulnerability Data
Research PaperOrganizations, by law, should exercise due care and due diligence in securing data at rest, in...
- 23 Dec 2015
Framework for Innovative Security Decisions
Research PaperRemember the Periodic Table of chemical elements (Dayah, Dynamic Periodic Table, 1997)? It...
- 3 Nov 2015
Security Data Visualization
Research PaperThe objective of this paper is to provide guidelines on information security data visualization and...
- 28 Oct 2015
Behind the Curve? A Maturity Model for Endpoint Security
Research PaperBehind the Curve? A Maturity Model for Endpoint Security
- 22 Oct 2015
The Sliding Scale of Cyber Security
Research PaperThe Sliding Scale of Cyber Security is a model for providing a nuanced discussion to the categories...
- 1 Sep 2015
Protecting Third Party Applications with RASP Infographic
Research PaperProtecting Third Party Applications with RASP Infographic
- 27 Aug 2015