Information Security (INFOSEC) Assessment Methodology (IAM)

The Information Security (INFOSEC) Assessment Methodology (IAM) consists of a standard set of activities (see below) required to perform an INFOSEC Assurance Assessment. In other words, the methodology explains the depth and breadth of the assessment activities that must be performed to be acceptable within the IATRP. The IAM "sets the bar" for what needs to be done for an activity to be considered a complete INFOSEC Assurance Assessment. Providers who advertise an INFOSEC Assurance Assessment capability and consumers seeking assistance in performing INFOSEC Assurance Assessments should use the IAM as the baseline for their discussions. Because the IAM is a baseline, providers can expand upon it to further meet the needs of their customers. However, any "expansion" must not reduce or interfere with the original intent of any IAM activity. (Additional information and class schedules may be found on NSA’s supplemental website www.IATRP.com. NSA POC may be contacted at IATRP@IATRP.com.)

Standardized Baseline of INFOSEC Assurance Assessment Activities (Standard Set of Activities):

The IAM baseline activities include: : On-site Information Gathering of the IAM Minimal Information, known as the “Baseline INFOSEC Classes and Categories”:
18 Steps

MANAGEMENT:
1. INFOSEC Documentation
2. INFOSEC Roles and Responsibilities
3. Contingency Planning
4. Configuration Management
TECHNICAL:
5. Identification and Authentication
6. Account Management
7. Session Controls
8. Auditing
9. Malicious Code Protection
10. Maintenance
11. System Assurance
12. Networking/Connectivity
13. Communications Security
OPERATIONAL:
14. Media Controls
15. Labeling
16. Physical Environment
17. Personnel Security
18. Education Training and Awareness

Authorized Vendors/Companies: